New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Creating Custom Event Views in Windows Server 2008

Introduction

Trying to locate a specific event in the Windows Event Viewer is kind of looking for the proverbial needle in the haystack. Individual processes can fire off dozens of events in a minute’s time, effectively burying the events that you are looking for.

This isn’t a huge problem if you know exactly what it is that you are looking for. For instance, Microsoft has always made it pretty easy to locate specific event IDs in the Event Viewer. If you don’t have a specific piece of information to search on though, finding the event that you are looking for can be a little tough.

Custom Event Views

The Windows Server 2008 version of the Event Viewer allows you to create custom event views. Don’t think of custom event views like a search engine though. There is really more to it than that. Custom Event Views allow you to perform highly dynamic searches based on a number of filtering criteria. That way, you can (hopefully) find all of the events that led up to a particular error rather than just finding the error itself.

Creating a custom event view is a relatively painless process. Begin the process by opening the Event Viewer. You can find it on the server’s Administrative Tools menu. When the Event Viewer opens, navigate through the console tree to Event Viewer (Local) | Custom Views. Next, right click on the Custom Views container, and choose the Create Custom View command from the resulting shortcut menu.

At this point, Windows will display the Create Custom View dialog box, shown in Figure A.

Figure A
creating_custom_event_views_in_windows_server_2008-1
The Create Custom Views dialog box is the primary interface used to create a custom view of server events.

The first decision that you will have to make involves the scope of the events that you want to filter. The Logged drop down list allows you to control whether you want to look at events from the last hour, the last day, the last week, or from a number of other time periods. You can even create custom time ranges.

After you have selected the time period that you want to base the filter results on, you must select the types of events that you want to include in the filter. As you can see in the figure above, you can pick Critical, Error, Warning, Information, or Verbose events, or any combination of these various event types.

The next section is a little bit tricky. You can filter events by event logs, or by the event source, but not by both. If you choose the By Log option, then the drop down list will display a series of check boxes that you can use to select the individual event logs that you want to include in your filter.

If you choose the By Source option, then the drop down list contains a series of check boxes for every available event source. You can pick and choose the individual event sources that you want to include in the list.

Now, you must put in the individual Event IDs that you want to filter. If you don’t know the specific Event IDs, you can enter a range of Event IDs. For instance if you wanted to filter Event IDs one to one hundred, you would type 1-100.

The next step in the process is to select the keywords that you want to include in your filter. Once again, you have the option of selecting your keywords from a drop down list. You don’t have to enter them manually.

Finally, you have the option of entering specific user and computer names. If you omit this information, then the filter will apply to all users and all computers.

When you are done entering the filtering criteria, click OK. You will now be prompted to enter a name and an optional description for your filtered view. After you enter this information, click OK, and your filtered view will be presented beneath the Custom Views container. For instance, in Figure B, you can see that I named my filtered view My Filtered View.

Figure B
creating_custom_event_views_in_windows_server_2008-2
Your filtered view will appear beneath the Custom Views container.

Conclusion

Creating custom views is a great way of tracking down information that is otherwise difficult to locate. This is especially true if the information that you are looking for is scattered throughout the event logs in a number of different events, or if you are trying to get the most recent information about a particular situation.