Events (Standard / EVT)Events (Standard / EVT)
|
|
Windows operating systems prior to Windows Vista use the standard (EVT) event logging format. Windows Vista and later clients and Windows 2008 and later servers use the newer EVTX (Crimson) event log format. Hyena will automatically detect if a remote system is using the EVT vs the EVTX event log format and use the appropriate functions. If using Hyena to read from an EVTX-based event system, see the Events (Crimson / EVTX) topic.
Alternately, Hyena can be configured to always use the older EVT functions to read all event logs (EVT or EVTX logs). To force Hyena to always use the older EVT event log functions, set the advanced EnableCrimsonLogs setting to FALSE under Tools > Settings > Advanced.
In addition to integration with the Windows native Event Viewer utility, Hyena also incorporates its own event viewing mechanism. The event log for a server or workstation can be accessed several different ways:
By double-clicking or right clicking on the Events object under any computer displayed in the left tree window.
By expanding the Events object (clicking on the 'plus' sign next to Events) and selecting the event log to view.
By selecting one or more computers in the right list window, right clicking, and then selecting the View Events option.
By selecting a computer in the left tree window, right clicking, and then selecting the View Events option.
Selecting the Event Viewer option from Hyena's popup context menu will run the native Windows event viewer (Eventvwr.exe or the MMC Event Viewer snapin) for the selected computer. Selecting the View Events option or double-clicking on the Events object will display Hyena's event viewer dialog. The remainder of this help section describes the options available when using Hyena's integrated event viewing options.
To view the details of a specific event, simply double-click an event. The event properties window will display all of the event details, and allow going to the previous/next event.
Event Viewing Options
Event Log – Select the event log(s) to view. Hyena's event viewer supports all of Window's event logs. Multiple logs can be viewed as well.
Event Order – Select whether to view the oldest or newest events first, that is, either in forward or reverse chronological order. See the Note below on how this selection in combination with the date range can affect performance
Date Range - Hyena supports using either a specific date range or a dynamic 'offset':
Specific Date Range - Select the beginning and ending dates. If all event dates from the very beginning or end of the event log are needed, select the 'start from first event' and/or 'end with last event' options.
Using an Offset - The 'offset' option allows a simple dynamic range to be used instead of a fixed range. For example, if needing to view the events that occurred during a weekend on a Monday morning, the offset for the 'last 3 days' can be used. To use an offset, select the 'Use Offsets' checkbox, then select the appropriate range:
Yesterday - Show events from yesterday.
Today - Show events from today only.
Events from 'X' Days/Hours/Minutes - Show events from a set number of days, hours, or minutes from the current date and time. Optionally, the current day can be included or excluded.
Offset intervals can also be saved using the Event Filters... option.
The Windows event log lacks any mechanism to read the log starting with a certain date. The only options when reading the event log is to read it either 'forward' or 'backward' with respect to time. This is referred to as the 'event order'. When reading a range of dates, significant performance gains can be achieved if the range covers either the very beginning or ending time entries in the log and the optimal event order is specified. For example, if you only want the last few days of the event log, select the appropriate date range and select 'Show newest events first' as the event order. Hyena will then start reading the newest entries first and stop as soon as the oldest event entry is outside of the date range. This prevents Hyena from having to read older events that are outside of the range selected.
When any of the filtering options are enabled or if more than one event log is viewed, Hyena will retrieve ALL of the events from the selected computer(s) and evaluate them against the filter criteria. This will result in some additional event processing time. When no filter criteria has been entered, Hyena will only retrieve a small block of events to improve performance. However, if any of the display columns are sorted on, the remaining events will be retrieved automatically in order to perform the sort operation.
Leave the filter fields blank to retrieve all events. When events are filtered, the title bar of the list window will contain the word "(filtered)".
Event ID(s) – Enter the event ID(s) to filter against. If multiple event Ids are needed, separate them with commas (“,”). To only show events with the filter ID(s) entered, select the option "Only show these events". To show events other than the event ID(s) entered, select the "Exclude these events" option.
Source – Enter the source name for the event.
User/Group Name – Enter the user or group name. The entered user or group must match what would normally be displayed in the event view window, including the preceding domain name, for example, “Domain Name\Administrator”.
Description – Enter the characters to search in the description field. See the information below concerning “Event Description Handling”.
Event Types – Enter the event type(s) to filter for, if desired. Select ALL of the event types to disable event type filtering.
Due to how the event reporting mechanism is implemented in Windows, a lot of intensive processing is required to actually create the event description field. By default, Hyena will not display the event description until the event’s properties are viewed (by double clicking on the event). However, Hyena can be configured to display the event description for all events in the list window, by adding the Description column to the list of display fields. This is done by selecting Tools->Settings->Display on the menu, and adding the Description field to the list of event fields to display. However, when the description field is enabled for the list window, note that there can be a significant reduction in performance when viewing the events. Use individual preference for performance vs. the advantage of seeing all of the event information at one time, when determining whether to enable this option.
The same performance limitations apply when searching the event description field. If event description filtering options are entered, Hyena will retrieve the event description and apply any necessary filters.
Viewing Events on Multiple Computers
Events can be viewed and filtered for multiple computers at the same time. To do this, first display the computers in the list window. Then, select the desired computers, right click, and select Events from the context menu. Options for filtering, etc are identical to those available when viewing the events for a single computer.
Sorting and Viewing Event Information
Event information is displayed in Hyena's list window. Events can be sorted by simply clicking on any column header. To view the event detail information, including the description, simply double click on the event. The event view can be customized under the Tools->Settings->Display dialog.
Opening and Backing Up Event Logs
Selecting the Open Log File... option will allow selecting and viewing an existing saved event log file. Since Windows does not store the event log type into the event log file, selection of the event log type is required to properly format the event log messages. The current list of event log types is chosen from the local computer, however, anything can be manually entered into the event log type. This information is only used to construct the event log message. Hyena also supports entry of multiple event logs. For proper formatting of the event log message, when opening multiple event logs, they should be the same type (ie application, system, etc.)
Selecting Backup Event Log... permits saving a selected event log to an external file.