Partilhar via


Event Properties

Applies To: Windows Server 2008, Windows Vista

The following table lists the common event properties. For more information about event properties and the underlying XML schema, see the Event Representation for Event Consumers topic in the Windows Event Log Software Development Kit (SDK) online.

Property Name Description

Source

The software that logged the event, which can be either a program name, such as "SQL Server", or a component of the system or of a large program, such as a driver name. For example, "Elnkii" indicates an EtherLink II driver.

Event ID

A number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Log service is started. The first line of the description of such an event is "The Event log service was started." The Event ID and the Source can be used by product support representatives to troubleshoot system problems.

Level

A classification of the event severity. The following event severity levels can occur in the system and application logs:

  • Information. Indicates that a change in an application or component has occurred, such as an operation has successfully completed, a resource has been created, or a service started.

  • Warning. Indicates that an issue has occurred that can impact service or result in a more serious problem if action is not taken.

  • Error. Indicates that a problem has occurred, which might impact functionality that is external to the application or component that triggered the event.

  • Critical. Indicates that a failure has occurred from which the application or component that triggered the event cannot automatically recover.

The following event severity levels can occur in the security log:

  • Success Audit. Indicates that the exercise of a user right has succeeded.

  • Failure Audit. Indicates that the exercise of a user right has failed.

In the Event Viewer normal list view, these are represented by a symbol.

User

The name of the user on whose behalf the event occurred. This name is the client ID if the event was actually caused by a server process or the primary ID if impersonation is not taking place. Where applicable, a security log entry contains both the primary and impersonation IDs. Impersonation occurs when the server allows one process to take on the security attributes of another.

Operational Code

Contains a numeric value that identifies the activity or a point within an activity that the application was performing when it raised the event. For example, initialization or closing.

Log

The name of the log where the event was recorded.

Task Category

Used to represent a subcomponent or activity of the event publisher.

Keywords

A set of categories or tags that can be used to filter or search for events. Examples include "Network", "Security", or "Resource not found."

Computer

The name of the computer on which the event occurred. The computer name is typically the name of the local computer, but it might be the name of a computer that forwarded the event or it might be the name of the local computer before its name was changed.

Date and Time

The date and time that the event was logged.

The following table lists the properties that can be displayed by adding columns to the Event Viewer display. For more information about adding columns to the display, see Show or Hide Event Properties.

Property Name Description

Process ID

The identification number for the process that generated the event.

Thread ID

The identification number for the thread that generated the event.

Processor ID

The identification number for the processor that processed the event.

Session ID

The identification number for the terminal server session in which the event occurred.

Kernal Time

The elapsed execution time for kernal-mode instructions, in CPU time units.

User Time

The elapsed execution time for user-mode instructions, in CPU time units.

Processor Time

The elapsed execution time for user-mode instructions, in CPU ticks.

Correlation Id

Identifies the activity in the process for which the event is involved. This identifier is used to specify simple relationships between events.

Relative Correlation Id

Identifies a related activity in a process for which the event is involved.