Windows NT Event Logging (O'Reilly Nutshell) [Paperback]

James Murray D. (Author)

Book Description

Publication Date: September 8, 1998 | ISBN-10: 1565925149 | ISBN-13: 978-1565925144

Event logging is a facility used by computer systems to record the occurrence of significant events. An "event" is any change that occurs in a system -- for example, a user logon, an addition to a file, or a change to a user's privileges. Because a computer system may experience hundreds or thousands of events each second, it is important to distinguish which events require the immediate attention of a system administrator, which should be recorded as entries in the system's event log for later analysis, and which can be safely ignored.

Event logs provide a centralized collection point for all kinds of error reports, system alerts, diagnostic messages, and status messages generated by a system. This book describes the characteristics of these messages, why they are important, and how you can access them and act upon them. Event logs are particularly important to system security and problem troubleshooting. Windows NT systems generate three distinct types of event logs:

• Security log. Stores reports of security-related events -- for example, a user has written to a file or there has been a change in a user's privileges.
• System log. Stores reports generated by system components, including drivers and services -- for example, a device failed, a driver failed to load, or a memory allocation or I/O error occurred.
• Application log. Stores reports on all other events -- for example, an internal application error (such as a failure to allocate memory) occurred, or a file download aborted.

This book is aimed at several specific audiences:

For system administrators, event logging is a tool for analyzing system and user activities and performance and for troubleshooting system problems. For this audience, the book explains how to view and maintain the event logs via the system's Event Viewer and how to interpret the results.

For programmers, event logging helps in diagnosing system or network problems. For this audience, the book describes the event logging API (Application Programming Interface) and the internals of the system's message files. It also provides instructions for and examples of accessing (reading, backing up, clearing, monitoring, and writing to) the event logs from C, Visual Basic 5, Perl 5 for Win32, Visual J++, and a C++ class for MFC (Microsoft Foundation Classes).

For security administrators, event logging is an important tool in auditing security-related events and tracking down the source of security breaches. For this audience, the book provides help in specifying the events to be audited and in analyzing auditing results; it also discusses the security auditing requirements imposed on a C2-level secure system (one approved by the U.S. government's National Computer Security Center).

The book comes with a CD-ROM containing examples from the book and many contributed event logging and auditing software packages. A brief table of contents follows:

Preface 1. About Event Logging 2. The Event Logging Service 3. Even Viewer
4. Windows NT Security Auditing
5. The Event Logging API 6. Message Files 7. Accessing the Event Logs 8. Reporting Events

A. References and Resources B. Event Logging under Windows for Workgroups C. NT Security Auditing Events
D. DumpEl: Event Logging Dump Utility E. Kernel-mode Event Logging F. What's on the CD-ROM?

Editorial Reviews

About the Author

James Murray is an Orthopaedic Specialist Registrar, Great Western Hospital, Swindon and Bath Royal United Hospital, UK.

Product Details

• Paperback: 316 pages
• Publisher: O'Reilly Media (September 8, 1998)
• Language: English
• ISBN-10: 1565925149
• ISBN-13: 978-1565925144
• Product Dimensions: 9.1 x 7 x 0.8 inches
• Shipping Weight: 1.6 pounds
• Average Customer Review: 2.6 out of 5 stars  See all reviews (5 customer reviews)
• Amazon Best Sellers Rank: #1,529,906 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

4 of 5 people found the following review helpful:

4.0 out of 5 stars Overall, good Event Log Tutorial, December 2, 1998

By A Customer

This review is from: Windows NT Event Logging (O'Reilly Nutshell) (Paperback)

Overall, this book is a good tutorial on NT's Event Logging feature; but needs a little more system troubleshooting advice for NT administrators. O'Reilly is a name I've come to respect for good technical information; and this book is no different.

The author is technically accurate, which is many times lacking in a lot of computer books; he gives real-life examples, adds some humor with an edge (although it could use even more), and writing style and organization are above average. Good step-by-step instructions, good screen shots, excellent bibliography and source citations.

However, enough troubleshooting material that could be helpful to an NT troubleshooter was missing to prevent a 5 star rating. This book has a serious edge toward developers (about half the book) and there is not enough detail for NT system administrators that are looking to it for troubleshooting advice.

The author, Murray, starts out by saying that the Event Log is used mostly as a troubleshooting tool by NT administrators trying to fix problems, but then the book lacks advice and detail to make our lives a little easier. Don't get me wrong, it was a good book; but I think it slightly misses its core audience.

For example, I don' think the well known advice of "The earliest error in the log is usually the best indication of the problem" is even mentioned, much less, more advanced troubleshooting advice. Security auditing is covered well, but the system log is neglected.

I guess I was hoping that the book would provide me with more real-life examples of what to expect in a system log; and some examples of common error messages and what their causes were. I was hoping for a database of system events with their cryptic messages defined into english. The book contains some, just not enough.

Another feature I found disappointing was that the author mentions (and includes on CD-ROM) several great event log utilities (non-programming), but then aren't used in the book text. I think a little more value could have been added by including a chapter or two using the utilities to make me a better system administrator.

I'm glad I read the book and I'm a better NT administrator and troubleshooter because of it.

1 of 1 people found the following review helpful:

2.0 out of 5 stars Event Logging for Developers, not administrators, May 14, 2000

By 

"syniq" - See all my reviews

This review is from: Windows NT Event Logging (O'Reilly Nutshell) (Paperback)

I am a consultant, of sorts--I build networks, repair networks, etc. And I thought this book would give me a more thorough understanding of Windows NT's Event Logging service. Boy was I wrong.

If you are a programmer/developer for WinNT, I'm sure this book will be a great help to you. More than 2/3 of it is taken up by ways to use the event logging API. It documents the calls and parameters involved in them, and occasionally preaches about what a "good" application should do with event logging.

If you are an administrator (that doesn't write C++ code every day), however, stay away. This, like all O'Reilly books, is well written but, like many ORA books, is inappropriately titled. The information here that is useful to administrators can also be found in the Windows help files.

3.0 out of 5 stars MSDN re-hash, November 20, 2001

By 

John Birch (Suffolk, United Kingdom) - See all my reviews

This review is from: Windows NT Event Logging (O'Reilly Nutshell) (Paperback)

This book is primarily a re-hash of the MSDN documentation on event logging as included in the platform SDK. It is useful in that it constitutes a printed version of that material, but it offers very little really new information. Some of the sidebars add interesting tidbits though. From a development perspective this book offers some valuable information and source code examples, however be warned - once you get to the deep end you are left to your own devices.
The book gives reasonably clear guidelines as to how to read event log records but very sketchy details on how to decode them. In short this book does **not** continue where the MSDN leaves off, which is a shame since the general style of the book is very accessible. The chapter on auditing and security could well have been omitted - it sits uneasily with the rest of the book's contents.
The source code CD that is included provides a number of trivial example programs and copies of commercial event log related programs that appear to all be available on the 'net, but the example programs are so trivial as to be useful only for cut and pasting of event log API calls.

I rate this book three stars because it is accessible and comprehensive. It does not merit a higher rating as it is not comprehensive enough for developers and does not appear to be sufficiently oriented towards the requirements of an administrator.