Utilizing Event Logs to monitor and maintain a server

- [Narrator] CIS admins need good critical thinking skills. And in a Windows server we can use Windows event logs as well as task manager in order to help us pin down issues. But sometimes, issues aren't all that obvious, and we need to use those critical thinking skills as well as any experience that we've garnered along the way to solve some of these more complex problems. I'm going to go into the Tools menu in server manager and open up event viewer. Event viewer has a lot of different types of events and there's different event logs based on what roles and features you might have added. There's also another section which includes dozens of different events that may not always be populated, so let's take a look. When we go to applications and services, and here we can see many different types of events. We've got Hardware Events, Internet Explorer, which isn't really being used all that much anymore, and you've got Key Management Service as well as Windows PowerShell and Admin Center. Admin Center is an application that I installed and it automatically added event logs to go with it. So if I didn't have Admin Center installed, you wouldn't see that here. If I had installed active directory for instance, you would see some active directory types of event logs as well. If I expand Microsoft and then Windows, here you can see a lot of different types of event logs. And I've used this in my career in order to find and troubleshoot specific issues. So for instance, if I was having issues with my hard drive, I can click on Disk and I can take a look at any event logs that might show up in that disk event log. So this is separate from the events that you might see in the hardware events, which most of the time, doesn't always give you a clear picture of what's going on. However, as we can see, there's no events here. So that means that everything is good, and you'll find that most of these event logs in this section are not going to show you any information or very little information unless there's a problem. The most common event logs are going to be in this other section called Windows Logs, and the application security system event logs are the ones that I typically go to when there's an issue. I usually start with the system event logs, and here you can see mostly just informational types of events. So what you can do is you can filter those out by clicking on filter current log and just say, I only want to see critical warning and errors and if you'd like to have them just from specific sources, then you can choose those from this list as well. But I'm just going to choose to filter out so I can only see those three key events. Now I can see errors, I can see warnings, I can even see a critical type of event. Critical events usually warn us either before or after something is going to cause an entire system shut down or restart, and it would be considered unexpected. Error typically means that there's a problem with a specific service. It's not all the services, it's just a specific one. And warning is just letting us know that there may be a problem, it's not really sure. So in this case, you can see under general for Windows Remote Management, it's not listening for WS management requests. So if I were on another computer trying to remotely monitor this particular server, there's no firewall port that is allowed to get through. So I might need to go into the firewall and open up that port. There's another section of this log that you want to look for. So if I click on details and click on system, then I can see there's something called a Process ID and this Process ID is 3648. So if I were to have a need to troubleshoot this particular event log, in this case it's a warning, I would need to find out what process is running 3648. So I can do that by going into my task manager. So I'll right click on the task bar and go to task manager and notice under the Processes section that there is no Process ID, but I can add it. So if I right click on status, for instance, I can add PID for Process ID. So what I'm looking for is 3648, I can sort these by number, and if I click on that particular column and I'll just scroll down until I find 3648, which I'm almost to right now. Here, you can see that this particular Process ID is no longer here. So what that usually means is that since that event log came out, the servers restarted, and the Process ID for that particular service has now changed to be a new number. Or, it's also possible that the issue was resolved by opening up that port. So let's take a look at event log again and see if we can find another Process ID that is running. I'm going to go over to clear the filter so we can see the latest and greatest different event logs and that will include all the different types of event logs. And let's change from the system log to one of the other useful logs, which is the security log. The security log by default is going to record who has logged in or attempted to log in and whether or not they were successful. Also, if you turn on auditing, then you can audit whether or not someone has deleted a file, added a file, changed a file, things like that. And those logs will show up here as well. So let's go into our details. We see that this is a window security log. If I click on general, you can see special privileges were added to a new logon. So let's find out what service, what Process ID goes along with that. And I'm going to scroll down and we can see Process ID 764. All right, let's go into the task manager and look for 764. And there's a couple of different services that are tied to that. One of those is going to be the security accounts manager, and that is definitely one of the things that we'll be looking at as well as credential manager. I'm going to isolate security accounts manager, and if I right click, I can choose to go to the details tab. So it's going to jump me over to the details tab and you can see the executable that's going along with that particular process. So this is the executable that is running the process that generated that event log. I can also right click and choose to go to services. Now it's going to jump me over into the services tab and it's going to show me the services that are tied to that executable that generated that log file from that process. And here you can see three different services are going along with that particular issue. If I noticed that the services were not running, that could be why the event log was generated. So I can just go ahead and right click and choose to run those services, or just go up to the top and click the start button if it was lit up. I could also stop or restart as well. So from one event log, we can now see the process tied to it, the executable that's running it, and the services that also work with that executable file. And that is a great way for troubleshooting using event logs to monitor your server and also confirm that all the services are working as expected. Combining event logs with the task manager using the process ID is a powerful way to troubleshoot and monitor your Windows server.