I have been managing Windows Server 2003 machines at work, but I am a software developer. (Please don't say 'hire a sysadmin', the point of this question is my own learning).
How do server admins learn what to look for in event viewer? Sometimes there will be strange things that I don't understand, many times there will be things that are always there that I simply ignore because they are always there.
Is there some resource somewhere that can train me on what is normal behavior for a Windows Server event viewer log and what things may spell disaster?
Or maybe there is some third party tool that will decipher them and make recommendations? I would prefer the learning route though.
Best Answer
The event logs are a clearing-house for any messages or errors thrown by the OS, its components, and any software installed on the system. So we can't fully cover all it's potential contents because there's unlimited potential things it could contain and they all require individual treatment.
One way to analyze event logs is:
That's about all there is to it. Security Event Log auditing is a bit different but Application and System can usually be covered pretty well with the approach above.
You can set up monitoring/alerting packages to watch event logs and alert you. There's 2 typical approaches to this:
Each approach has its strengths. One key thing to remember though is that a monitoring tool is only as useful as its configured to be, and there's no 'magic bullet' for this that'll give you a good blend of 'quiet enough' and 'guaranteed to alert you every time there's a genuine problem'. Unfortunately that requires continuous balancing.