In this Ask the Admin, I’ll show you how to use filters to create custom views in Windows Server Event Viewer.
Monitoring the Event Log in Windows Server is an essential task for detecting malicious activity or unwanted changes to your systems that often gets ignored. Since improvements were made to Windows Eventing in Windows Server 2008, and specifically the addition of custom views in the Event Viewer management console, this often laborious chore has become easier.
Create a Custom View for User Account Management Events
The Event Logs contain lots of useful information, but there are certain events that you should isolate as they can indicate potential security breaches. In this way, the information provided in the logs becomes more useful without the additional noise. That’s not to say that auditing of other events should necessarily be suppressed, but some information is more likely to flag a problem.
Let’s start by creating a custom view that shows us all User Account Management events from the local Security log. Log in to the server as an administrator or user that has permission to read the event logs, and follow the instructions below:
- Open Event Viewer from the Tools menu in Server Manager.
- In the Event Viewer window, expand Custom Views in the top left.
- Right click Custom Views, and select Create Custom View… from the menu.
- In the Create Custom View dialog on the Filter tab, select Last 24 hours from the Logged drop-down menu.
- Select By source and then Microsoft Windows security auditing from the drop-down menu.
- Select User Account Management from the Task category menu.
- Click OK.
- In the Save Filter to Custom View dialog, give the new custom view a name and click OK.
The custom view will now appear in the left of Event Viewer, and you can use it to monitor a subset of events from the Security log. Don’t forget that the view may be empty if there haven’t been any user account management events in the past 24 hrs.
You can see in the figure below that there’s lots of other data by which events can be filtered, such as one or more Event IDs, whether the event level is critical or informational etc., and keywords.
Modify a Custom View
Changing a custom view is easy, but there’s one small quirk in the process that you should take note of:
- Right click the custom view you want to modify in the left of Event Viewer, and select Filter Current Custom View… from the menu.
- In the Filter Current Custom View dialog, make any desired changes to the filter, and then click OK.
- Right click the custom view again in the left of Event Viewer, but this time select Save Filter to Custom View… from the menu.
Anytime you open Event Viewer, your custom views will appear with the saved filters from the previous session.
Importing and Exporting Views
Custom Views can be saved as XML files, allowing you to import them into Event Viewer on other management servers or PCs. To export a custom view follow the instructions below:
- Right click the custom view to be exported in the left of Event Viewer, and select Export Custom View… from the menu.
- In the Save As dialog, give the XML file a name and choose a save location, then click Save.
Import a Custom View
To import a custom view, make sure the XML file saved in the previous steps is accessible:
- In the top left of Event Viewer, right click Custom Views and select Import Custom View… from the menu.
- In the Import Custom View dialog, select the XML file saved in the previous steps and click Open.
- In the Import Custom View File dialog, select the location for the custom view and click OK.
The imported view will now appear in the selected folder under Custom Views.