Windows® events are organized into specific log categories; by default computers running on Windows® NT or higher record errors, warnings and information events in three logs namely Security, Application, and System logs.
Computers that have more specialized roles on the network such as Domain Controllers and DNS Servers have additional event log categories.
As a minimum, Windows® Operating Systems record events in the following logs:
|Security event log
|This log contains security-related events through which you can audit successful or attempted security breaches. Typical events found in the Security Events log include valid and invalid login attempts.
|Application event log
|The log contains events recorded by software applications/programs such as file errors.
|System event log
|This log contains events logged by operating system components such as failures to load device drivers.
|Directory service log
|This log contains events generated by the Active Directory (AD) including successful or failed attempts to update the AD database.
|File Replication service log
|This log contains events recorded by the Windows® File Replication service. These include file replication failures and events that occur while domain controllers are being updated with information about Sysvol.
|DNS server log
|This log contains events associated with the process of resolving DNS names to IP addresses.
|Application and Services Logs
|These logs contain events associated with Windows® VISTA and the relative services/functionality it offers.
Warning: Deleting event logs without archiving may lead to legal compliance penalties.
To configure Windows® Event Log collection and processing parameters:
- From Configuration tab > Event Sources, right-click an event source or group and select Properties.
- Click Windows Event Log tab > Add... to select the logs you want to collect.
- Expand Windows Logs and/or Applications and Services Logs and select from the list of available logs.
- (Optional) Click Add custom log... and enter a unique name for the unlisted event log.
- Select Clear collected events after completion to clear the collected events from the respective event source.
- Select Archive1 all logs without any further processing to archive collected events without applying events processing rules.
- Select Process the logs with the rules selected before archiving and select the rule sets that you want to run against the collected events.
- Select Add generic fields to Security Events to add extended fields to the database. Extended fields contain data from event descriptions and are added by a common name (example: "Field01", "Custom field name").
- Click Apply and OK.
1A collection of events stored in the SQL Server-based database backend of GFI EventsManager.