Share via

1.3.1 Background

  • Article

Event logs allow applications or the operating system to store historical information that might be of interest to administrators. The information is organized as a sequential set of records , which are referred to as events. An example of an event would be a specific user logging on to the computer. Once a record is written, it becomes an event and is treated as a read-only item, and is never updated again.

The events represented in an event log are referred to as records. Records are composed of fields and are numbered uniquely by one of the fields; that is, the first event has its record number set to 1, the second event has its record number set to 2, and so forth. Logs can be configured to be circular. A circular log is one in which the oldest records are overwritten after the log reaches its maximum size.

A computer can have several event logs. One log might be devoted to security events while another might be for general application use.

Applications or components that write to event logs are known as event sources. A single event log might contain events from many event sources. However, a particular event source can write to only a single log. That is, a component that writes to multiple event logs is considered for purposes of this specification to be multiple event sources, with one event source per event log.

Event sources write several kinds of events. For example, a user logging on to the computer could be one kind of event, and a user logging off would be another kind of event. When an event source writes an event, it specifies an EventID that indicates what specific kind of event is being written. This EventID is reused whenever another event of this same type is written in the future. An event can optionally contain an event category, which commonly expresses an application-specific value that is used for grouping events.

An event log can be either a live event log or a backup event log. A live event log is one that is currently in use and thus can be used for both reading and writing. It can be used to create a backup event log, which is a read-only snapshot of a live event log. Backup event logs are often used for archival purposes or for copying a backup event log from one computer to another for use by support personnel.