Event log filters

Filters and event logs enable you to view only those events that have specific characteristics. Filters apply only to the current Event Viewer session. If you constantly use a specific filter or set of filters to manage event logs, you should instead create a custom view. Filters apply only to a single event log. You can create log filters based on the following properties:

• Logged. Enables you to specify the time range for the filter.

• Event Level. Enables you to specify event levels. You can choose the following options: Critical, Warning, Verbose, Error, and Information.

• Event Sources. Enables you to choose the source of the event.

• Event IDs. Enables you to filter based on event ID. You can also exclude specific event IDs.

• Keywords. Enables you to specify keywords based on the contents of events.

• User. Enables you to limit events based on user.

• Computer. Enables you to limit events based on the computer.

To create a filter, perform the following steps:

1. Open Event Viewer and select the log that you want to filter.

2. Determine the properties of the event that you want to filter.

3. On the Actions pane, click Filter Current Log.

4. In the Filter Current Log dialog box, specify the filter properties.

Event log views

Event log views enable you to create customized views of events across any event log stored on a server, including events in the forwarded event log. Rather than looking through each event log for specific items of interest, you can create event log views that target only those specific items. For example, if there are certain events that you always want to look for, create a view and use the view rather than combing through the event logs another way. By default, Event Viewer includes a custom view named Administrative Events. This view displays critical, warning, and error events from a variety of important event logs such as the application, security, and system logs.

Views differ from filters in the following ways:

• Persistent. You can use a view across multiple Event Viewer sessions. If you configure a filter on a log, it is not available the next time you open the Event Viewer.

• Include multiple logs. A custom view can display events from separate logs. Filters are limited to displaying events from one log.

• Exportable. You can import and export event log views between computers.

The process for creating an event log view is similar to the process for creating a filter. The primary difference is that you can select events from multiple logs, and you give the event log view a name and choose a place to save it. To create an event log view, perform the following steps:

1. Open Event Viewer.

2. Click the Custom Views node and then click Create Custom View from the Actions menu.

3. In the Create Custom View dialog box, select the properties of the view, including:

   • When the events are logged

   • The event level

   • Which event log to draw events from

   • Event source

   • Task category

   • Keywords

   • User

   • Computer

4. In the Save Filter To Custom View dialog box, enter a name for the custom view and a location to which to save the view. Click OK.

5. Verify that the new view is listed as its own separate node in the Event Viewer.

You can export a custom event log view by selecting the event log view and clicking Export Custom View. Exported views can be imported on other computers running Windows Server 2219.

Event subscriptions

Event log forwarding enables you to centralize the collection and management of events from multiple computers. Rather than having to examine each computer’s event log by remotely connecting to that computer, event log forwarding enables you to do one of the following:

• Configure a central computer to collect specific events from source computers. Use this option in environments where you need to consolidate events from only a small number of computers.

• Configure source computers to forward specific events to a collector computer. Use this option when you have a large number of computers that you want to consolidate events from. You configure this method by using Group Policy.

Event log forwarding enables you to configure the specific events that are forwarded to the central computer. This enables the computer to forward important events. It isn’t necessary, however, to forward all events from the source computer. If you discover something from the forwarded traffic that warrants further investigation, you can log on to the original source computer and view all the events from that computer in a normal manner.

Event log forwarding uses Windows Remote Management (WinRM) and the Windows Event Collector (wecsvc). You need to enable these services on computers that function as event forwarders and event collectors. You configure WinRM by using the winrm quickconfig command, and you configure wecsvc by using the wecutil qc command. If you want to configure subscriptions from the security event log, you need to add the computer account of the collector computer to the local Administrators group on the source computer.

To configure a collector-initiated event subscription, configure WinRM and Windows Event Collector on the source and collector computers. In the Event Viewer, configure the Subscription Properties dialog box with the following information:

• Subscription Name. The name of the subscription.

• Destination Log. The log where collected events are stored.

• Subscription Type And Source Computers: Collector Initiated. Use the Select Computers dialog box to add the computers that the collector retrieves events from. The collector must be a member of the local Administrators group or the Event Log Readers group on each source computer, depending on whether access to the security log is required.

• Events To Collect. Create a custom view to specify which events are retrieved from each of the source computers.

If you want to instead configure a source computer-initiated subscription, you need to configure the following Group Policies on the computers that act as the event forwarders:

• Configure Forwarder Resource Usage. This policy determines the maximum event forwarding rate in events per second. If this policy is not configured, events are transmitted as soon as they are recorded.

• Configure Target Subscription Manager. This policy enables you to set the location of the collector computer.

Both of these policies are located in the Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsEvent Forwarding node. When configuring the subscription, you must also specify the computer groups that hold the computer accounts of the computers that are forwarding events to the collector.

Event-driven tasks

Event Viewer enables you to attach tasks to specific events. A drawback to the process of creating event-driven tasks is that you need to have an example of the event that triggers the task already present in the event log. Events are triggered based on an event having the same log, source, and event ID.

To attach a task to a specific event, perform the following steps:

1. Open Event Viewer. Locate and select the event on which you want to base the new task.

2. On the Event Viewer Actions pane, click Attach Task To This Event. The Create Basic Task Wizard opens.

3. On the Create A Basic Task page, review the name of the task that you want to create. By default, the task is named after the event. Click Next.

4. On the When An Event Is Logged page, review the information about the event. This lists the log that the event originates from, the source of the event, and the event ID. Click Next.

5. On the Action page, you can choose the task to perform. The Send An E-Mail and Display A Message tasks are deprecated, and you receive an error if you try to create a task using these actions. Click Next.

6. On the Start A Program page, specify the program or script that should be automatically triggered, as well as additional arguments.

7. After you create the task, you can modify the task to specify the security context under which the task executes. By default, event tasks only run when the user is signed in, but you can also choose to configure the task to run regardless of whether the user is signed in.

Resource Monitor

Resource Monitor enables you to monitor how a computer running the Windows Server 2219 operating system uses CPU, memory, disk, and network resources. Resource Monitor provides real-time information. You can’t use Resource Monitor to perform a traffic capture and review activity that occurred in the past, but you can use Resource Monitor to view activity that is currently occurring.

Resource Monitor provides the following information that is relevant to network monitoring:

• Processes With Network Activity. This view lists processes by name and ID and provides information on bits sent per second, bits received per second, and total bits per second.

• Network Activity. Lists network activity on a per-process basis, but also lists the destination address, sent bits per second, received bits per second, and total bits per second.

• TCP Connections. Provides information on connections based on local address, port, and remote address and port.

• Listening Ports. Lists the ports and addresses on which services and applications are listening. This option also provides information about the firewall status for these roles and services.

Message Analyzer

Microsoft Message Analyzer is the successor to Network Monitor. You can use Message Analyzer to perform network traffic capture and analysis. Message Analyzer also functions as a replacement for LogParser, which enables you to manage system messages, events, and log files. When performing a capture, select the scenario that best represents the type of event that you are interested in capturing traffic for. For example, the LAN scenario enables you to capture traffic on local area network (LAN) interfaces.

When performing certain types of network traffic captures, you need to run Message Analyzer using an account that is a member of the local Administrators group. After the capture is performed, you can analyze the content of each message. By applying appropriate filters, you can locate network traffic that has specific characteristics, such as traffic that uses a particular TCP port, source, or destination address. Figure 21-1 shows the Microsoft Message Analyzer.

Backup locations

Windows Server Backup enables you to back up to any locally attached disk, to a volume, to the storage area network (SAN), or to any network folder. When configuring a scheduled backup, you should specify a destination volume or disk that is empty. If the disk is local or connected to the SAN, Windows Server Backup performs a full backup at least once every 14 days and incremental backups on subsequent backups. Incremental backups in Windows Server 2219 use block-level backups rather than file-level backups, meaning that the incremental backups are much smaller. Rather than backing up all the files that have changed since the last backup, only the data blocks that have changed on the hard disk are backed up. For example, if you change one image in a 25-megabyte (MB) PowerPoint file after it is backed up, only the data blocks associated with that image are backed up next time, not the whole 25-MB file.

There is an exception to the rule about how data is written during scheduled automatic full and incremental backups. This exception occurs when the backup data is written to a network folder. When you back up to a network folder, as opposed to a SAN-connected disk, which appears as local to Windows Server, each backup is a full backup and the previous full backup that was stored on the network share is erased. Because only one backup at a time can be stored on a network share, if you choose to back up to this location you can't recover data from any backup other than the most recently performed one.

You can modify the performance of full system and full volume backups by using the Optimize Backup Performance dialog box, and you can increase backup performance by using the Faster Backup Performance option. The drawback of selecting this option is that it reduces disk performance on the disks that host the volumes you are backing up.

Backing up data

You can back up data using a variety of methods with Windows Server Backup. You can configure a scheduled backup, which means a backup occurs on a scheduled basis. You can also perform a one-off backup. When you perform a one-off backup, you can either use the existing scheduled backup settings or you can configure a separate set of settings for one-off backups. For example, you can configure Windows Server Backup to perform a full server backup twice a day to a locally attached disk. You can connect at any time and perform a one-off backup where you select only specific files and folders and have them written to a location on the network.

Role- and application-specific backups

Most Windows Server 2219 roles and features store data in locations that are backed up when you perform a System State backup. System State data is automatically backed up when you perform a full server backup or select it for backup. Depending on the roles and features installed on the computer running Windows Server 2219, the System State can contain the following data:

• Registry

• Local users and groups

• COM+ Class Registration database

• Boot files

• Active Directory Certificate Services (AD CS) database

• Active Directory database (Ntds.dit)

• SYSVOL directory

• Cluster service information

• System files under Windows Resource Protection

• Internet Information Services (IIS) settings

Some applications also register themselves with Windows Server Backup. This means that when you perform a full server backup, you can recover data that is only relevant to the application without having to perform a full system restore. Support for application registration depends on the application. You can’t select a specific application for backup using Windows Server Backup, but you can restore applications that have registered themselves with Windows Server Backup as long as you’ve previously performed a full server backup.

Restore from backups

Windows Server Backup enables you to restore data that has been backed up on the local computer, or data that was backed up on another computer using Windows Server Backup that is accessible to the local computer. You can use Windows Server Backup to do the following:

• You can use Windows Server Backup to restore files and folders as well as applications.

• You can use Windows Server Backup to restore the System State data. After the System State data is restored, you need to restart the computer.

• You can use Windows Server Backup to restore any volume except the one that hosts the operating system. If you want to restore the volume that hosts the operating system, you need to boot into the Windows Recovery Environment.

• You can use the Windows Recovery Environment to perform a full server restore, also known as a bare metal recovery. When you do this, all existing data and volumes on the server are overwritten with the backed-up data.

If multiple backups of the data you want to restore exist, you need to select which version to restore. If you are unsure which date holds the data you want to restore, you should restore to multiple alternative locations and then perform the comparison. This process saves you from restoring, figuring out you’ve restored the wrong data, performing another restore, and then figuring out that restore isn’t right either.

Windows Server Backup writes backups to .vhdx files, the same type of file that is used with Hyper-V and when creating disks for Internet Small Computer System Interface (iSCSI) targets and disks in storage pools. Windows Server 2219 also allows you to mount the contents of a virtual hard disk (VHD), which allows you to examine those contents without having to perform a full restoration using Windows Server Backup.

Restore to an alternative location

When you are performing data restoration, you can choose to restore data to the original location or to an alternative location. It is not uncommon when restoring data to the original location for backup administrators to unintentionally overwrite good, live data with older, restored data. If you restore to an alternative location, it’s possible to compare the restored data against the current data. It’s also important when restoring data that you retain permissions associated with data.

If you choose to restore to the original location, you can configure Windows Server Backup to perform one of the following tasks:

• Automatically create copies if an original exists

• Overwrite existing versions

• Do not recover any item that exists in the recovery destination

Preparing Azure Backup

The entire process of configuring and managing Azure Backup can be performed from Windows Admin Center. This includes the creation of a Recovery Services Vault that is used to store backup data in Azure.

To configure Azure Backup with Windows Admin Center, perform the following steps:

1. When you are connected to the server you wish to configure with Azure Backup, click Backup in Windows Admin Center, as shown in Figure 21-4.

   

2. With Backup selected, click Set Up Azure Backup.

3. If you aren’t already signed in to an account with Azure administrator permissions, you’ll be required to sign in to Azure.

4. By default, an Azure datacenter and recovery services vault will be selected for creation. You also have the option of creating your own recovery services vault, and you can specify a Resource Group and datacenter Location, as shown in Figure 21-5.

   

5. By default, the System State data and all volumes will be protected. By default, backups will occur weekly and are retained for four weeks. You can alter what is protected using the Azure Backup Utility that will be installed on your server.

6. You will be prompted to provide an encryption passphrase. You will need to ensure that you keep a record of this passphrase somewhere other than a text file on the desktop of the server, as without the passphrase you will not be able to perform restore operations. Microsoft cannot perform a restoration for you if you lose the passphrase, as they are never provided with a copy and just store the backup data encrypted with the passphrase. The passphrase must be a minimum of 16 characters long, and you can save it to an external location, such as a USB storage device.

7. Once you click OK, the infrastructure in Azure will be created for you, and the selected backup schedule will be enacted.

Backing up data to Azure Backup Agent

Modifying an Azure Backup Schedule and selections is very similar to the Schedule Backup Wizard in Windows Server Backup. After the Azure Backup Agent is installed by Windows Admin Center, you can run the tool to:

• Select which items to back up. Item selection is file and folder based. Although you can select a volume to back up, you don’t use Azure Backup to perform full volume recovery in the same way you would use Windows Server Backup. When selecting items to back up, you can configure exclusions for file types, folders, or folder trees.

• Select a backup schedule. This option determines how often a synchronization occurs. You can configure Azure Backup to synchronize up to three times per day. You can also configure bandwidth throttling. Throttling enables you to limit the utilization of bandwidth and ensures that your organization’s Internet connection isn’t choked with backup traffic replicating to the recovery vault on Azure during business hours.

• Configure backup retention. The retention setting, which you configure on the Specify Retention Setting page, determines how long backup data is stored in Azure before it is deleted. You can configure retention for Windows Server Backup when creating a policy in Windows PowerShell.

Restore from Azure Backup

Azure Backup enables you to restore files and folders that are stored in your Azure recovery vault. You can’t perform a full server recovery, System State recovery, or volume recovery using Azure Backup; you can only restore files and folders. Of course, if you’ve backed up all the files and folders on a volume, you can either restore all of them individually or all at one time. Azure Backup also enables you to restore data from another server that you’ve backed up to Azure. Recovering data using Azure Backup involves performing the following steps:

• Select the server from which you want to recover data.

• Select whether you want to browse or search for files to recover.

• Select the volume that hosts the data you want to recover and the specific backup date and time from which you want to recover data.

• Select the items that you want to recover. You can recover files, folders, and folder trees.

• Select Recovery Options, including whether to restore to the original location, to an alternative location, or to create copies or overwrite original files. You can also use this page to choose whether to restore the original permissions.

To remove all backup data from a recovery vault using Azure Backup, you’ll need to go into the Azure Console and generate a security PIN, as shown in Figure 21-6. The PIN is valid only for a short period of time.

Products, security classifications, and languages

During setup, you are asked to choose which update you want to download based on product name, security classification, and languages. Although you can choose to download updates for all product categories for all classifications in all languages, you’ll minimize the amount of configuration required later if you download updates only for products used on your organizational network.

When WSUS synchronizes, it may update the list of available product names to reflect newly released software. If your organization deploys a new product, if it retires an old product, or if you simply want to alter which updates are synchronized, you can modify which products are updated using the Products And Classifications dialog box, available through Options in the Update Services console, and shown in Figure 21-7.

Autonomous and replica modes

A single WSUS server can support approximately 25,000 clients. Large organizations often have multiple WSUS servers because it’s better to have a local WSUS server at each large site, rather than having clients pull updates and approvals across wide area network (WAN) links. Instead of administrators performing the same approvals on each WSUS server in the organization, you can configure a WSUS server as a replica of another server. When you configure a WSUS server as a replica, the downstream server copies all update approvals, settings, computers, and groups from its parent. You can configure the Update Source settings as well as specify information that enables WSUS to use a proxy server, through the Update Source And Proxy Server item in Options, in the Update Services console, and shown in Figure 21-8.

Update files

One of the benefits of deploying WSUS is that clients on the local network download their updates from the WSUS server rather than downloading updates from the Microsoft Update servers on the Internet. You can configure update storage location settings using the Update Files And Languages item in the Options area of the Update Services console. You can configure the following options, as shown in Figure 21-9:

• Store Update Files Locally On This Server. When you choose this option, you can choose whether to download files only after they have been approved; download express installation files, which install quicker on clients; or download files from Microsoft Update. With the last option, you can configure a server as a replica server but have update files downloaded from Microsoft Update rather than from the upstream replica server.

• Don’t Store Update Files Locally; Computers Install From Microsoft Update. When you configure this option, clients use WSUS for update approvals but retrieve the updates from the Microsoft Update servers on the Internet. This option is most appropriate when you are providing update approvals to clients located outside of the organizational network.

WSUS security roles

In large organizations, you are more likely to separate the roles of server administrator and update administrator. When you install WSUS, two local security groups are created. By adding users to these groups, you grant users the permission to perform the tasks assigned with these roles. The roles are as follows:

• WSUS Administrators. Users who are added to the local WSUS Administrators group can perform any WSUS administration task. These tasks include approving updates, managing computer groups, configuring automatic approval rules, and modifying the WSUS server’s update source.

• WSUS Reporters. Users who are members of this role can run reports on the WSUS server. These reports detail the update compliance status on the basis of update and computer. For example, a user who is a member of this group can run a WSUS report and determine which computers are missing a specific critical update.

WSUS groups

You can use WSUS groups to organize computers for the purpose of deploying updates. For example, you might have a WSUS group for servers in Sydney and another WSUS group for servers in Melbourne. A computer can be a member of multiple WSUS groups, and WSUS groups can exist in parent–child relationships. For example, the Australia WSUS group might have both the Melbourne and Sydney WSUS groups as members. Updates approved for the Australia group are automatically approved for members of the Melbourne and Sydney groups unless overridden.

You can assign computers to WSUS groups manually or through Group Policy. Computers can be assigned to WSUS groups through Group Policy only if the computer groups already exist on the WSUS server. To assign a computer manually, the computer must have already reported to the WSUS server. Computers that have reported to the WSUS server but have not been assigned to a group are members of the Unassigned Computers group.

An administrator must create WSUS groups. To create a WSUS group, perform the following steps:

1. Open the Update Services console.

2. Click the group you want to have as the parent group. The Computers/All Computers group is the parent group for all groups.

3. From the Action menu, click Add Computer Group.

4. Specify the computer group name and click Add.

WSUS policies

You can configure most WSUS client options through Group Policy. Many of these policies are related to the experience that users of client operating systems have when updates are installed and are not directly applicable to updating server operating systems. Windows Update policies are located in the Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Update node of a standard GPO, as shown in Figure 21-10.

The most important policies from the perspective of the server administrator are as follows:

• Configure Automatic Updates. You can enable automatic updating, specify a day for update installations, and you can specify a time for update installation to occur. It’s usually not a good idea to have this one policy to apply to all servers in your organization. Having all servers install and reboot at the same time can cause substantial disruptions.

• Specify Intranet Microsoft Update Service Location. You can specify the location of the WSUS server and the statistics server. (The statistics server receives information on successful update installation and is usually the same as the WSUS server.)

• Automatic Update Detection Frequency. Determines how often the computer checks for updates.

• Enable Client-Side Targeting. Use this policy to specify which WSUS groups computers should be a member of. If the names do not match, those computers end up in the Unassigned Computers group.

Deploying updates

When you deploy updates, you decide whether to deploy the update, to which computer groups you deploy the update, and what deadline should apply to the deployment. You can deploy an update multiple times to different groups, so you can deploy an update to a test group and then, if no issues arise with the update, deploy the update more generally. Prior to deploying updates, you should perform a synchronization, which ensures that the WSUS server is up to date before choosing whether to deploy updates.

To deploy an update, perform the following steps:

1. Open the Update Services console and select the UpdatesAll Updates node. You can also select a child node, such as Critical Updates, if you want to view only available critical updates.

2. Set the Approval setting to Unapproved, set the Status to Any, and click Refresh. All unapproved updates are then listed.

3. Click one or more updates and then click Approve in the Actions pane.

4. In the Approve Updates dialog box, select which computer groups the update is approved for. You can choose between the following settings:

   • Approved For Install. Approves the update.

   • Approved For Removal. Removes a previously deployed update.

   • Not Approved. Does not approve the update.

   • Keep Existing Approvals. Inherits the approval from the parent group.

   • Deadline. Specifies an update deployment deadline.

Automatic approval rules

Automatic approval rules enable specifically categorized updates to be automatically approved. For example, you might choose to automatically approve critical updates for the Sydney-Development-Servers WSUS group, as shown in Figure 21-11.

To configure an automatic approval rule, perform the following steps:

1. Open the Update Services console. You can do this from the Tools menu of Server Manager or by right-clicking the server in a Server group and clicking Windows Server Update Services.

2. In the Update Services console, click Options, and then click Automatic Approvals.

3. In the Automatic Approvals dialog box, click New Rule.

4. In the Add Rule dialog box, choose the following rule options:

   • When An Update Is In A Specific Classification. You can choose that the rule applies when an update matches a specific classification or number of classifications. Update classifications include Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, and Updates. Microsoft includes classifications for each software update when it publishes the update.

   • When An Update Is For A Specific Product. You can specify products, either by category, such as Exchange, or by specific product, such as Exchange Server 2213.

   • Approve The Update For A Specific Computer Group. The update can be approved for selected computer groups.

   • Set An Approval Deadline. Sets an installation deadline for the update based on the time and date the update was first approved.