The System/Server Event Log provides a means to view the Windows events occurring on the ASM. This page applies to both the ASM System Event Log facility and the Skype/Lync Server Event Log facility.
|System/Server Event||Location in WebUI|
For System Events Logs on ASM:
TASKS > Application Solution Module > System Event Log
|Skype/Lync Server Events|
For Skype™ Server Event Logs on ASM:
TASKS >Skype™ for Business Survivable Branch Appliance > Skype™ Server Event Log
For Lync™ Server Event Logs on ASM:
TASKS > Lync™ Survivable Branch Appliance > Lync™ for Business Event Log
Both event log facilities (ASM and Skype/Lync) work in exactly the same manner. For the purposes of this article only the System Event Log facility has been shown.
Viewing the Event Log
To view the Event Log:
- In the WebUI, click the Tasks tab.
- In the left navigation pane, under Application Solution Module, click System Event Log.
- In the WebUI, click the Settings tab.
In the left navigation pane, go to Application Solution Module > System Event Logs.
Figure : System Event Logs on ASM
System Event Logs – Field Description
Shows the level of severity of the event. For more information see Event Level Guidelines on the Microsoft MSDN website.
Shows the Windows Service that is source of the event log entry.
The Microsoft Event ID associated with the specific cause of the log entry. For more information about Event IDs, see the Microsoft Support Site.
Internal index for sorting, Sonus use only.
Sorting the Event Log
The Event Logs can be sorted on any of the columns by clicking the column name, i.e., Date and Time, Level, etc.
The column on which the last sort was performed is indicated by the presence of a sort order arrow ().
Refreshing and Clearing the Event Log
The Event Log does not update dynamically. Therefore, if you are viewing the log and wish to see any events which have occurred after the System Event Logs page was opened, the view must be refreshed.
To refresh the view:
- Click the refresh icon () on the right-hand side of the page, near the top.
Clearing the logs removes all the entries from the table.
To clear the event log:
- Click the Clear Event Log icon () at the top of the page.
Viewing Event Log Details
To view the details of an event log entry:
- Click the expand icon () at the left-hand side of the entry.
Exporting System Event Logs
Event logs can be exported a Windows Event Log format(.evtx)file. The event log can be exported in whole or by date range.
Exporting All Events
To export all events:
- Click the Export All link at the top of the page.
- Save the System Events.evtx file in a convenient location.
Exporting Events by Date Range
To export events by date range:
Click the Export Date Rangelink at the top of the page.
- Select the start and end dates from the date picker dialog.
- Click OK.
Save the System Events.evtxfile in a convenient location.
The start date implies a start time of 00:00:00 and the end date implies an end time of 23:59:59 on the date specified.
Not supported by SBC SWe Lite in this release.
System Event.evtx files are only viewable using the Microsoft Event Viewer. Lync Server.evtx files are viewable using the Microsoft Event View. However, the textual meaning of the event IDs are only available when viewed using the Microsoft Event Viewer on a Lync server.
Windows Logging Basics
Logs are records of events that happen in your computer, either by a person or by a running process. They help you track what happened and troubleshoot problems.
The most common location for logs in Windows is the Windows Event Log. It contains logs from the operating system and several applications such as SQL Server or Internet Information Server (IIS). The logs use a structured data format, making them easy to search for and analyze. Additionally, some applications write to log files, for example IIS access logs, in text format.
Windows Event Logs
Windows displays its event logs in the Windows Event Viewer. This application lets you view and navigate the Windows Event Log, search and filter on particular types of logs, export them for analysis, and more. We’ll start by showing you how to access it and what features are available.
Starting Windows Event Viewer
In Windows Server 2012, the Event Viewer is accessible from a number of places. Most people will open it from the Control Panel, but we also wanted to show other places it’s accessible from.
Open from Windows Control Panel
- From the Control Panel, select Administrative Tools.
- From the Administrative Tools window, double-click on Event Viewer app icon.
Open from Server Manager
- From the Server Manager, choose the Tools menu.
- Select Event Viewer from the drop-down menu.
Open from Computer Manager
If you choose the Computer Management option from Server Manager’s Tools menu, Event Viewer is accessible from that applet too:
Open from the Command Prompt
- Open a command prompt window.
- Type eventvwr and press enter.
Using the Windows Event Viewer Interface
Event Viewer in Windows Server 2012 has an intuitive user interface. The main screen of the Event Viewer is divided into three parts: the navigation menu, the detail pane, and the action pane. You can also create summary and custom views. We’ll show each of these below.
This menu in the left pane is where you can choose what event log you want to view. By default, Windows Event Logs are divided into five parts:
- Application log: This is a place where applications hosted in the local machine send their messages to.
- System log: This log holds messages sent by the operating system itself.
- Setup log: This log holds messages captured during the OS install. If the Windows machine has been set up as a Domain Controller, the messages will be captured here.
- Security log: This log holds information related to login attempts (success or failure), elevated privileges, etc.
- Forwarded events log: These events are “sent” by other computers when the local machine is acting as a central subscriber to those machines.
The figure below shows the Event Viewer navigation pane.
As you can see from the image, there are navigation items that can show you hardware-related events, PowerShell-related events, or events related to Internet Explorer. Based on what type of events you are interested in or what source of event is important to you, you can also create custom views in the navigation pane. We will see how to create a custom view later.
In the top half of the detail pane, event entries are listed in chronological order with the latest events listed near the top. You can click on any column header to sort events by that field in ascending or descending order. For example, you may want to view events of critical status only or events from a particular source.
The following image shows an error event in the detail pane:
Clicking on any event entry on the top half of the pane will show the event’s detailed information in the bottom half. In the example image above, we can see the highlighted event’s source (in this case MS SQL Server) and the date it happened. The General tab in the bottom half of the pane shows more information. In this case we can see the database backup failed because of insufficient disk space.
The Details tab on the detail pane shows more or less the same information. There’s a friendly view:
And then there’s an XML view:
In the text and XML output below, we can see another sample log event. In this case, it’s a critical event indicating the system had shut down unexpectedly. You can see the system fields in an easy-to-read format at the top, and the entire event as XML at the bottom.
Each of these events also includes a level which indicates its severity. There are several levels:
- Information messages let you know that the application performed a successful action. These are shown with icons with an “i” in a white circle.
- Warning messages indicate that an event occurred that might present a problem later. These are shown with a yellow triangular icon.
- Error and Critical messages indicate that a significant problem occurred. These are shown with an exclamation mark inside a red circle.
The action menu items on the right pane include many of the options available from the main menu bar. This includes saving event entries to a file, opening a saved event file, exporting or filtering events, etc.
As you can see, there are a number of actions possible when a particular event log is active. For example, we can search for a particular event or group of events when clicking on the “Find…” menu option. The pop-up window shown below enables us to specify query criteria:
Similarly, we can create a Windows scheduled task in response to an event. An example would be sending the system administrator an email about an FTP failure event.
We can do some housekeeping if the event logs become too large. The “Clear Log…” options enable us to truncate the currently visible log. To see if any of the logs are too big, we can choose the “Windows Logs” node from the navigation pane; the detail pane shows the number of records in each Windows log and the total size of the logs:
It’s possible to export all events or a selection of events from the current log to an event file. The event file will have an .evtx extension:
Where would you use such functionality? Suppose you want to send your system’s health status to a third-party vendor—you can provide them with an exported event file. Similarly, you may wish to archive your logs before deleting them, or you may want to send your saved logs to a centralized backup medium. Saving event logs to an event file comes in handy in these cases. Administrators of the remote machine can then click on the “Open Saved Log…” option from the action pane to open the saved log.
Event Viewer allows us to create custom views on events. This helps if a system administrator is interested in a certain type of event or events of a certain severity level.
To create a custom event view, follow these steps:
- Select the Custom Views node in the navigation pane.
- Click on the “Create Custom View…” option from the action pane.
- In the dialog box that appears, specify the selection criteria for the events to be included in the custom view. Click OK.
- In the final dialog box, select the tree node in which you want to create the custom view.
The figures below show how we are creating a custom view to trap all critical, error, and warning events from SQL Server running in the local machine.
When you click OK in the Save Filter to Custom View dialog box, the view is created in the location chosen:
Like saving logs in an event file, we can also export custom views. To export a custom view:
- Select the custom view from the navigation pane.
- Choose the “Export Custom View…” option from the action pane.
- Provide a name for the XML file of the custom view.
The figure below shows this process:
The saved XML file can then be copied to another machine and imported into its own Event Viewer using the “Import Custom View…” action menu item.
If we select the top node of the navigation pane (Event Viewer (Local)), it gives us a good idea about the number of events in Administrative category. The Administrative node traps critical, error, and warning events from all administrative logs:
Looking at this particular case, we can see there were four errors trapped in the last hour, and the number of errors in the last week was 37.
Other Application Logs
Windows also has other types of logs with their own event viewing mechanisms. Here are three additional types:
Task Scheduler History Logs
Windows Task Scheduler enables us to run background tasks and applications on a scheduled basis, much like the Linux cron subsystem. An example of task scheduler running a job would be a nightly backup script that backs up local SQL Server databases. Each task has associated history events associated with it, and these events can be seen from the Task Scheduler’s detailed window. The following image shows this:
Failover Cluster Manager
Windows Server Failover Clustering service enables two or more Windows servers to work as part of a “cluster”: a fault tolerant configuration where one server’s physical hardware failure is automatically detected by the other server and replaced by it. Windows Server Failover Clustering service will automatically re-route all network traffic to the healthy instance, creating a highly available environment. In a clustering setup, applications connect to a common access point—a virtual IP or a cluster name—and Windows routes all traffic to the correct node. When a fault does happen, applications won’t know one of the underlying servers has failed and will continue to work as before. Windows Server Failover Clustering is used as the foundation of modern SQL Server HA solutions like AlwaysOn Availability Groups.
The Failover Cluster Manager is a Windows built-in application with its own Event Viewer. Using this Event Viewer, system administrators can troubleshoot when their cluster fails or stops functioning as expected. The following screenshot shows the Cluster Manager event viewer node in the navigation pane. Selecting this node will show cluster-related events:
Windows Server comes with a special role for acting as a Domain Name Service (DNS) server. This role has to be explicitly installed and enabled. When a server is acting as a DNS server (typically the Active Directory Domain Server in small networks), an application called the DNS Manager is added to the Server Manager. As the following image shows, DNS Manager has its own list of events:
Windows Component Service
Another built-in application is the Windows Component Services Manager that enables us to configure DCOM applications running on Windows. Windows Event Viewer is accessible from Component Services Manager as well:
So we can see Windows records its various events in one place and in some cases multiple places. Trapping those events and making sense of those events form part of an administrator’s role. In this guide we will see how we can use different methods to collect, centralize, and protect these logs.
IIS Access Logs
The IIS web server’s access logs contain information about which URIs were requested, a status code indicating whether the response was successfully served, and more. It writes these logs as files in the W3C Extended Log Format. This format is a type of comma-separated value (CSV).
The log files are written in this default location. Below is an example file with W3SVC1 as the virtual host, and u_ex150428 is a file name coded with the date 2015-04-28
Here is an excerpt from the log file showing the column definition as a comment, followed by a request for /manager/html which returned a 404 status code because it does not exist.
The system has rebooted without cleanly shutting down first.Thiserror could be caused ifthe system stopped responding,crashed,orlost power unexpectedly.
#Software: Microsoft Internet Information Services 7.5
#Date: 2015-04-28 12:12:05
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip