The Event Viewer is an Administrative tool that records events that occur on your computer. When the system or application runs into any bugs, errors, or security issues, the event logs will have the information that caused the problem. Although it does not solve the issue at hand, the Event logs give you the necessary information to begin the troubleshooting process.
Understanding Event Viewer Layout
In the Event Viewer window, you will see three panels. The left side is the navigation panel, the middle one displays the event details and the right side is for performing actions like saving or loading event logs.
Navigation Panel
The Navigation panel is the left side panel where event logs are categorized into three specific folders. These folders are common in all versions and editions of Windows. These are Custom Views, Windows Logs, and Application and Services Logs.
Windows logs keep track of every event from the Windows OS and contain a list of the following event log categories:
- Application: Logs from applications
- System: Logs created by OS
- Security: Login events
- Setup: Logs Windows Setup performance events
- Forwarded Events: Events forwarded by remote PCs
Application and Service Logs contain events from hardware connections/alerts, third-party applications, and PowerShell events.
Finally, any custom filter you create through the action panel will be stored in the Custom Views event log. By default, this section will have a sub-category named Administrative Events. You can use this to view all Critical, Warning, and Error events from the log history.
Custom event logs named Administrative Events are created automatically on all versions of Windows.
On the Navigation panel, if you click on Event Viewer (Local), you will get an Overview and Summary in the Details panel. Here, you can get a quick review of all the administrative events, recently viewed logs, and Log Summary.
Events Panel
The Events panel displays the list of recorded event logs and the level of the recorded event whether it is information, warning, error, or critical. Among these, event logs indicating Error should be given high priority and should be looked into right away.
If you double-click on the events, a new dialog box opens up showing all the event properties. It contains a log description along with numerous entries. Among these entries, Log Name, Source, Event ID, Logged, Level, and OpCode are a few of the crucial ones.
Logged records the date and time of the event log and it is the most crucial one. You can note the date and time of the system crash or when the system runs into issues and compare it with Logged to determine the recorded event log.
Once you have the event log, check its Log Name. Using Log Name, you can determine whether the log is from the application, security, setup, system, or forwarded events.
The Level column says whether the event log is a warning, error, or just information. We recommend checking the log description, Event ID, and Source.
Event ID and Source are what you will need to determine the exact details of the recorded event log.
Actions Panel
Event Actions allows you to perform actions like save logs, open saved logs, create a custom view, clear event logs, filter current logs, and view properties of the selected log.
Save and Open Event Logs
Saving Event logs allows you to get the event details and view them on another PC. To save logs in the event viewer,
In the left panel, select the event log category that you want to save.
Now, on the right panel, click on Save All Event As.
Select a file location where you want your event file saved and name the file.
To open saved logs,
- Click on the Open Saved log on the right side of the Event Viewer Window.
- Now browse for an event file with
.evtx
,.evt
, or.etl
extension.
Once you open saved logs, a log category named Saved Logs will appear on the Event Viewer panel located on the left side.
Filter Event Log and Create Custom View
By filtering logs, the event viewer will extract the events that do not match the event properties set on the custom filter. To set a filter in Event Viewer,
Select the event log category that you want to filter.
Click on Filter Current Logs on the Actions panel.
Here, fill in Logged, Event Level, Event Sources, EventIDs, and other categories depending on what you want to filter out.
Click on OK.
Now, you will only get the filtered event logs.
Note: You cannot filter event log inside Custom Views as these logs are already filtered.
Creating a Custom view works similar to filtering event logs. However, when creating custom logs, it will create a new log category in Custom Views. Creating Custom View can especially come in handy when you only want to view the filtered events logs.
How to Check Event Logs?
Administrative Events under the Custom Views filter all Critical, Warning, and Error events from the entire log history. Therefore, it is the first thing you need to check when the system runs into error or crashes.
Custom event logs named Administrative Events are created automatically on all versions of Windows.
Note: You need the exact date and time of the system crash/error to check event logs.
Press the Windows + R key to open Run.
Type eventvwr
and press OK.
Alternatively, you can also right-click on the Windows icon on the taskbar and select Event Viewer.
In Event Viewer, expand Custom Views and click on Administrative Events.
In the middle panel, compare the date and time of the system error with the Date and Time Column.
Double-click on the event log that matches the date and time of the crash/error.
Note Log Name, Event ID and Source. Event ID is different for each category of Event Logs.
If the Log Name displays Application, Security, Setup, System, or Forwarded Events, expand Windows Logs and click on the log category (Log Name) that you noted in Step 7.
If the Log Name displays some other names, expand Application and Services Logs in the navigation panel. Here you need to find the logs category (Log name) from Step 7.
Now, in the event details panel search the event using the date and time of the system error.
Once you find the event log that matches the event from Step 6, check other events leading up to the system-crash event log.
You can also search the internet or Microsoft’s official documentation page for Event ID and Source to determine the exact cause of the error log.
Event Viewer Retention Period
The default retention period for events in a single event log category is around 20MB. And since these event logs are entered on a FIFO (First-In First-out) policy, the entries recorded first are removed first when it hits the 20MB limit.
However, you can increase the event viewer retention size if you want to record more event logs.
Select the event log category whose retention size you want to change.
Right-click and select Properties.
Change the Maximum log size to record a higher number of events.
Here, you can also check the current log size, created, modified, and accessed data, log path, and what the system does when the maximum event log size is reached.