Windows event logs and event triggers are an important part of Windows server monitoring. With the addition Event Viewer feature, Windows made it possible for server administrators to create custom tasks for certain events. This would be the so-called event trigger, and it could be a script or an email notification.
This feature is highly important in terms of security and proactively dealing with issues with the server. Since it’s simply impossible to manually look at events every hour, event triggers provide a simple way to deal with events that require the immediate attention of the administrator or anyone from the IT team.
What is a Windows Event Log?
Before learning how you can use event triggers for windows performance monitoring, it’s important to understand what event logs are in the first place. Event logs are basically files on the server that record everything that is happening on the server. From accessing files to deleting files, all actions are recorded as events.
You can see the list of events in Event Viewer. In the Event Viewer header, you’ll see type, time, user, computer, windows event id, and source. When you click on an event, another window opens with all the details about that particular event. This also includes a description that helps understand what went down, especially if the type is error or warning.
There are a few categories within Windows event logs that make it easier to understand what those events account for. In the Event Viewer, you’ll find these categories: System, Security, DNS Server, Application, Directory Service, and DFS replication categories. Windows system event log and data security logs come under the security category, e.g. Windows Firewall log.
Windows Event Log Types
In the Windows event log, each event is classified by type. Type is different from categories that we’ve already discussed, as type pertains to the seriousness or severity of the event. Here are the main event types:
- Information: This event records the success of a Windows task, so it’s more operational in nature.
- Error: This event indicates failure of the task, loss of data or functionality.
- Warning: This event is not highly significant or urgent as it indicates a potential problem that may happen in the future.
- Success Audit: This type indicates a successful audited security event, as indicated by its name.
- Failure Audit: This type indicates a failed audited security event, one that didn’t complete or ran into an error.
Why are Windows Event Logs Important?
The biggest benefit event logs, and more importantly auditing event logs, can provide is security. Needless to say, security is important for both big and small businesses. Monitoring Windows events can help detect malicious login attempts or data theft. Auditing failed login attempts can help system administrators or security managers nip the hack or theft in the bud.
To take the most advantage of Windows event logs, you need to configure the audit policies so that the most crucial events are audited automatically. A strong audit policy will make security more robust. You shouldn’t audit all events as audits typically rollover, and the older ones get deleted.
How to Use Event Triggers?
Starting with Windows Server 2008, Windows added a feature that allowed the network administrator to attach a Windows Task with an event in the Windows event log. This is done through Task Scheduler, which works in close integration with Event Viewer. In the Event Viewer window, you can assign a task that acts as a trigger.
So how do you go about creating an event trigger such as an email notification when that event occurs. Here’s a brief step-by-step guide of how you do it on Windows Server 2017 (which is basically Windows Server 2016):
Step 1: Write a Powershell script that sends an email to a specific account address when it runs. It could be an SMTP server or even a Gmail address.
Step 2: Launch Task Scheduler to set up task. Right-click and select Create Task.
Step 3: You’ll see a window with several tabs. In the General tab, give the task name and select ‘Run whether the user is logged or not.’
Step 4: Go to the Triggers tab, click on New. Select Custom and then click on New Event Filter.
Step 5: You can select Event levels (preferably all if it’s a critical one) and add event ids in the Task Category. You can set the task to many events by adding multiple ids.
Step 6: Now go to Actions, click on New. In Action, select Start a Program. In the Program text box, browse the Powershell script you just typed or manually add the address to where the script is saved. Click ok
Step 7: In Conditions, you can set the particular conditions you want. The default conditions should be enough.
Step 8: In the Settings tab, you should ideally select Queue a new instance for ‘If the task is already running.’ This will allow the task to be triggered by multiple events.
Step 9: With all configured, click OK.
You can manually generate the event for which you’ve set the trigger and check if you’ve received an email notification.
Why You Still Need Windows Server Monitoring?
Event triggers are a nice feature for resolving issues before they get big or when there’s a security threat. However, these triggers alone cannot suffice for full-fledged windows server monitoring. You still need a reliable tool, such as that by VirtualMetric that does all the monitoring for you.
Manually setting event triggers is laborious. But with a monitoring solution, it’s way easier. You get real-time alerts for when there’s something wrong. Another reason why server monitoring is important is that there’s no such thing as native syslog Windows. The monitoring tool can act as a third-party syslog server Windows for sending messages and alerts across computers in the network.
Features like event trigger, Windows event log forwarding, and Windows ping help make security more reliable. However, these features alone are not enough, especially considering how sophisticated threats have become. You need a powerful Windows server monitoring tool that takes care of all the things for you.