1
00:00:01,240 --> 00:00:07,790
Our first order of business is Windows Server event logs. So, event logs track

2
00:00:07,790 --> 00:00:11,440
events in Windows Server, but of course, what is an event?

3
00:00:11,440 --> 00:00:14,580
An event is simply a notification of a state change,

4
00:00:14,580 --> 00:00:18,260
simple as that. When a computer starts, that's an event.

5
00:00:18,260 --> 00:00:21,940
If a computer stops responding, that's another event.

6
00:00:21,940 --> 00:00:25,020
The idea here is that the events don't arise out of thin

7
00:00:25,020 --> 00:00:28,290
air. They've all been explicitly accounted for and

8
00:00:28,290 --> 00:00:30,920
programmed by an application developer.

9
00:00:30,920 --> 00:00:36,490
Windows engineers, of course, concentrate on event streams for events that

10
00:00:36,490 --> 00:00:40,540
occur within the Windows OS, and then as you layer on software,

11
00:00:40,540 --> 00:00:43,500
those separate software vendors have their own

12
00:00:43,500 --> 00:00:46,340
developers who create event streams.

13
00:00:46,340 --> 00:00:50,140
We have in Windows a number of built‑in logs.

14
00:00:50,140 --> 00:00:53,340
There has been the standard ones that we've had for many, many years.

15
00:00:53,340 --> 00:00:55,790
Here is a screenshot of Event Viewer,

16
00:00:55,790 --> 00:01:01,180
the traditional Win32 app, and we can see we've got extensibility. We've

17
00:01:01,180 --> 00:01:04,510
got the Windows logs, which I have here not highlighted,

18
00:01:04,510 --> 00:01:07,140
but you can see it in the image, Application,

19
00:01:07,140 --> 00:01:10,450
Security, Setup, System, and then the extensibility

20
00:01:10,450 --> 00:01:12,510
means applications and services logs.

21
00:01:12,510 --> 00:01:16,270
So as you install roles on your servers, oftentimes

22
00:01:16,270 --> 00:01:18,640
they will have related event logs.

23
00:01:18,640 --> 00:01:22,050
Event Viewer is a nice convenient place to round up those

24
00:01:22,050 --> 00:01:25,160
events, but when you're managing multiple servers,

25
00:01:25,160 --> 00:01:29,190
especially in a hybrid cloud environment, ain't nobody got time for

26
00:01:29,190 --> 00:01:32,640
individually connecting to machines with Event Viewer.

27
00:01:32,640 --> 00:01:35,680
You'll see that the highlight annotation I've made on this slide

28
00:01:35,680 --> 00:01:39,410
highlights a folder called Subscriptions. We'll have more to say

29
00:01:39,410 --> 00:01:42,840
about event log subscriptions momentarily.

30
00:01:42,840 --> 00:01:44,740
Besides the graphical Event Viewer,

31
00:01:44,740 --> 00:01:49,400
we can query our event logs on Windows Server systems using PowerShell.

32
00:01:49,400 --> 00:01:54,600
In the first example here, get‑winevent is for log management where you

33
00:01:54,600 --> 00:01:58,790
can take a look at the size and the log mode and the log name and the

34
00:01:58,790 --> 00:02:00,940
record count for your logs.

35
00:02:00,940 --> 00:02:04,870
You'll want to use Group Policy to centrally control those properties.

36
00:02:04,870 --> 00:02:08,660
Actually, you could do that with PowerShell as well. As far as

37
00:02:08,660 --> 00:02:13,510
being able to parse the logs and retrieve events, you can use

38
00:02:13,510 --> 00:02:15,280
Get‑EventLog, and as you see here,

39
00:02:15,280 --> 00:02:20,340
I'm looking at the System log and grabbing the newest five entries.

40
00:02:20,340 --> 00:02:23,360
You'll notice that there's a standardized format for these.

41
00:02:23,360 --> 00:02:27,910
There's importantly an event ID and then there's an associated

42
00:02:27,910 --> 00:02:30,640
message that goes along with those.

43
00:02:30,640 --> 00:02:33,590
Therefore, a large part of troubleshooting Windows Server

44
00:02:33,590 --> 00:02:36,930
is looking in the event logs for particular ID numbers,

45
00:02:36,930 --> 00:02:38,380
and then you know what I do,

46
00:02:38,380 --> 00:02:42,330
I do the same thing you probably do, I hit up Google, looking up

47
00:02:42,330 --> 00:02:46,220
those event IDs, and go to Stack Overflow and other sites and

48
00:02:46,220 --> 00:02:49,360
figure out what the problem is, what the most likely explanation

49
00:02:49,360 --> 00:02:51,740
is, and then go from there.

50
00:02:51,740 --> 00:02:55,780
Server Manager is a, in my opinion, sometimes neglected,

51
00:02:55,780 --> 00:03:00,340
sometimes ignored, graphical server administration tool,

52
00:03:00,340 --> 00:03:01,260
but it's convenient,

53
00:03:01,260 --> 00:03:05,870
inasmuch as for one or more servers you can look at individual roles

54
00:03:05,870 --> 00:03:11,010
and features, like here I've highlighted DHCP, and you can see related

55
00:03:11,010 --> 00:03:13,910
event log entries right there per service.

56
00:03:13,910 --> 00:03:18,440
So the Server Manager event logs is a bit easier to navigate

57
00:03:18,440 --> 00:03:23,640
than Event Viewer because it's a parsed or a pre‑parsed view,

58
00:03:23,640 --> 00:03:27,740
or a subset of only related events.

59
00:03:27,740 --> 00:03:30,760
The latest frontier in Windows Server administration is

60
00:03:30,760 --> 00:03:33,600
this Windows Admin Center web console.

61
00:03:33,600 --> 00:03:37,570
In here, I'm showing you a screenshot where we're dialed into a particular

62
00:03:37,570 --> 00:03:42,510
server, and of course, in the Tools list we have events that give you

63
00:03:42,510 --> 00:03:46,640
access to look in and do searches on those events.

64
00:03:46,640 --> 00:03:48,240
Now, generally speaking,

65
00:03:48,240 --> 00:03:51,640
I know I've mentioned this before in my training, generally

66
00:03:51,640 --> 00:03:55,370
speaking, Windows Admin Center contains a subset of the

67
00:03:55,370 --> 00:03:58,700
management options that you have in the main graphical user

68
00:03:58,700 --> 00:04:01,340
interface tools, like Event Viewer.

69
00:04:01,340 --> 00:04:06,270
But one nice thing that Windows Admin Center has in its side is it's

70
00:04:06,270 --> 00:04:10,970
much more rapidly developed, or at least potentially more rapidly

71
00:04:10,970 --> 00:04:14,680
developed than those built‑in MMC consoles.

72
00:04:14,680 --> 00:04:17,010
You'll find that all of these modules,

73
00:04:17,010 --> 00:04:23,290
these tools in WAC, are built or implemented as extensions that you can update

74
00:04:23,290 --> 00:04:26,450
and keep current, just like you can your browser extensions,

75
00:04:26,450 --> 00:04:31,280
your Visual Studio extensions, your VS Code extensions, and the Microsoft and

76
00:04:31,280 --> 00:04:35,460
third‑party engineers sometimes will offer a public preview mode that you can

77
00:04:35,460 --> 00:04:41,240
opt into to take a sneak peek at upcoming features.

78
00:04:41,240 --> 00:04:42,150
Now, principally,

79
00:04:42,150 --> 00:04:44,790
like I said before, the rubber meets the road with

80
00:04:44,790 --> 00:04:47,950
event logs in two main situations.

81
00:04:47,950 --> 00:04:52,580
One, at least this is the world according to Tim; one, you're

82
00:04:52,580 --> 00:04:56,760
troubleshooting a specific problem with a specific machine. There,

83
00:04:56,760 --> 00:05:00,600
you can use any of the aforementioned tools to go searching for event

84
00:05:00,600 --> 00:05:03,940
IDs, and then you'd go take your research from there.

85
00:05:03,940 --> 00:05:06,640
But what about proactive log management across an

86
00:05:06,640 --> 00:05:09,110
entire fleet of Windows Servers, dozens,

87
00:05:09,110 --> 00:05:10,230
hundreds, thousands,

88
00:05:10,230 --> 00:05:15,440
tens of thousands? What are our options for making this process easier?

89
00:05:15,440 --> 00:05:15,530
Well,

90
00:05:15,530 --> 00:05:19,780
I'm going to stay with first‑party Microsoft solutions because that's what

91
00:05:19,780 --> 00:05:24,590
AZ‑801 is, it's a Microsoft certification exam. As I mentioned, we can

92
00:05:24,590 --> 00:05:30,570
control event logs in terms of their maximum size, their circularity with

93
00:05:30,570 --> 00:05:33,360
Group Policy, so that's a starting point.

94
00:05:33,360 --> 00:05:37,080
Event log subscriptions are, what do I want to say about that?

95
00:05:37,080 --> 00:05:41,030
It is a way to consolidate event log entries from multiple

96
00:05:41,030 --> 00:05:43,680
servers, but its downside is that unless you use

97
00:05:43,680 --> 00:05:46,440
scripting, it's not very scalable.

98
00:05:46,440 --> 00:05:49,120
System Center Operations Manager, if you're doing

99
00:05:49,120 --> 00:05:53,510
on‑premises, and nowadays System Center works in an Azure

100
00:05:53,510 --> 00:05:55,840
context as well, come to think of it,

101
00:05:55,840 --> 00:05:59,740
but you can use scum to do centralized event log management. And

102
00:05:59,740 --> 00:06:03,040
we'll learn more about log analytics a little bit in this module

103
00:06:03,040 --> 00:06:05,640
and certainly a lot more in the next one,

104
00:06:05,640 --> 00:06:11,310
but it definitely makes it easier to aggregate the event log at scale and then

105
00:06:11,310 --> 00:06:15,750
to be able to report an alert on those event log entries.

106
00:06:15,750 --> 00:06:20,040
I think you'll be impressed if you're not already familiar with log analytics.

107
00:06:20,040 --> 00:06:24,480
Lastly, there is third‑party independent software vendors, or ISVs.

108
00:06:24,480 --> 00:06:28,170
There's plenty of players in this arena who have various desktop and

109
00:06:28,170 --> 00:06:32,830
browser‑based tools that have as their advantage, in some cases,

110
00:06:32,830 --> 00:06:33,770
easy setup,

111
00:06:33,770 --> 00:06:42,000
agentless set up, and you can aggregate and report on event logs on multiple Windows Server systems at scale.