Using Event Logs, standards on fields, how to design?

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of i255d i255d 1 year, 1 month ago.

  • Author
  • #29547
    Profile photo of Dan Iverson
    Dan Iverson

    I am building a Windows Server Provisioning systems that will build VM's in VMWare to specs filled out on a web front end that is already in place. On our DSC authoring server, we are using PowerCLi, PowerShell, DSC and SQLExpress. These builds will be across multiple DC's, or domains, sub-nets an such. There will be modules that interact with InfoBlox (DNS) and Active Directory.
    We want to use Even Viewer for our logging, but having no experience with any of this before, we are wondering if we should create our own set of logs, or use and existing set, like PowerShell and use Event ID's to designate out items specific to this app?

    One concern expressed when considering creating our own is whether they would be picked up by Splunk.

    Another thought was to use common we errors for event ID's but adding a digit or two to the front of these to specify our app.

    Any thoughts or Ideas, or good articles talking about what others have done would be appreciated.

  • #29594
    Profile photo of Don Jones
    Don Jones

    I can't answer the Splunk question; I'd think Splunk could be "taught" to find logs wherever they are. But doing your own logs would give you a lot of freedom and flexibility.

    But if the Event Log architecture is the answer you come to, I'd spend a lot of time looking at what Microsoft already does in the Operational and Debug logs. There aren't any authoritative documents for what you _should_ be doing; like much of Windows, just look at what various product teams in Microsoft _are_ doing and see if it makes sense for you.

    How you come up with your event IDs is more a question of how you plan to use the data. Will you need to be able to identify certain events? If so, having a unique ID would be helpful for filtering and searching. But which ones you'll need to do that with is something you'd have to answer, unfortunately.

  • #29736
    Profile photo of i255d

    I noticed I missed a letter in my open suggestion for using common Web site errors (html errors), so I wanted to make that a little more clear and see if someone thought that might be a good direction.

    Thanks Don for your response.
    You said, "spend a lot of time looking at what Microsoft already does in the Operational and Debug logs", how do I do that? Where do I begin?

    As far as event id's my thought was that the different modules for the different parts of the processes, might have their own identifying numbers, like the first two numbers of the event id. For example the html error 204 for "No Content" might be let by 54 for the module written to work with InfoBlox and DSN, so even it 54204, would lead us to the right module, and hopefully to what part of the process did not work.

You must be logged in to reply to this topic.