Analysis of Windows Events Report

In order to comply with emerging standards., IT infrastructure operators require a wide range of reports that reveal the service level achieved by a target environment, intermittent breaks in service delivery (if any), the reasons for the breaks, how quickly was the service restored, etc. To cater to these compliance requirements, the eG Reporter offers the Analysis of Windows Events report.

Many applications record errors and events in various proprietary error logs. These proprietary error logs have different formats and display different user interfaces. Moreover, the system administrator cannot merge the data to provide a complete report. Therefore, the administrator needs to check a variety of sources to diagnose problems. Event logging in Microsoft Windows provides a standard, centralized way for applications and the operating system to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log. The system administrator can use the event log to help determine what conditions caused the error and the context in which it occurred. By periodically viewing the event log, the system administrator may be able to identify problems (such as a failing hard drive) before they cause damage. However, since the event logs are maintained per server, and due to the absence of a common interface for viewing the event log information collected from across the environment, it becomes almost impossible for administrators to perform any effective enterprise-wide correlation and analysis of events. This in turn greatly hinders the process of problem recognition and resolution. The primary purpose of the Analysis of Windows Events report therefore, is to enable administrators to pull event log data from multiple sources on multiple host pools across the environment into a centralized database, so that efficient queries can be executed and the necessary event information viewed from a single interface. Secondly, and most importantly, as this report serves as a "one-stop-shop" for clear, concise event information related to the target environment, it brings to light errors/warnings/security breaches that could have hampered the normal functioning of the target environment. This capability is particularly useful for organizations in the financial and healthcare sector that have stringent Sarbanes Oxley and HIPPA compliance requirements, respectively.

To view the Analysis of Windows Events report, do the following:

  1. Follow the menu sequence: REPORTS BY FUNCTION -> Domain-specific Reports -> Azure Virtual Desktop -> By Host Pool -> Analysis of Windows Events.

  2. will then appear.

    Figure 1 : Generating an Analysis of Windows Events

  3. From the Analyze bylist of Figure 1, pick the criteria for searching for the hosts/systems from which event log information need to be extracted. The options are: Zone, Service, Segment, and System. If the Zone option is selected from the Analyze by list, then a Zone list box will appear. From this list, select the zone containing the hosts from which the event log details are to be collected. If you select the Service or Segment option from the Analyze by list, then a Service or Segment list box (as the case may be) will appear. From the corresponding list, select the Service or Segment containing the systems to participate in the event log aggregation. If you want to choose the candidates for log aggregation from across all managed systems in the environment, then select the System option from the Analyze by list.

    Note:

    If the hosts/systems from which event log information is to be retrieved are not part of any existing zone, then you can choose the Default option from the Zone list. This zone is automatically created by the eG Enterprise system, and includes all those infrastructure elements that are not mapped to any zone, segment, or service.

  4. If you select a particular Zone, Service, or Segment, then the Component Type list box will be populated with only those distinct component types that belong to the chosen Zone, Service, or Segment. However if the System option is chosen from the Analyze by list, then the Microsoft AVD Host Pool will be displayed in the Component Type list box, by default.
  5. Then, the HostPool list will automatically get populated with all the host pools pertaining to that particular component type. If the HostPool list consists of too many host pools, then viewing all the host pools and selecting the ones you need for report generation could require endless scrolling. To avoid this, you can click the button next to the HostPool list. The HostPool pop up window will then appear using which you can view almost all the components in a single interface and Select the ones for which the report is to be generated.
  6. Next, pick the type of event logs for which the report is to be generated from the Log Type list. The options are: Application, Security, and System.
  7. Typically, the eG agent executes an Application Event Log test, a System Event Log test, and a Security Log - AVD test on a Microsoft AVD Host Pool to extract statistics related to the application, system, and security events (respectively) that occur on that host. While configuring these tests, you can provide specific 'event source-ID-description' combinations to be monitored on the host. The Display Names assigned to these configured combinations will be the 'descriptors' of these tests. The Descriptor list in this page will be populated with these Display Names only. From this list, select the descriptor for which the event log report is to be generated.
  8. For details to a specific event source, select an Event Source from the list. The default selection is All Event Sources, which will retrieve details pertaining to all the event sources on the chosen host pools.

  9. Next, from the Event ID list (see Figure 1), pick the criterion using which the event logs should be reported. By default, All Event ID option is chosen from this list. You can choose from the following options:

    • Specific: If the Specific option is chosen, then it indicates that you can choose to filter specific event log IDs by providing a comma-separated IDs in the IDs text box.
    • Range: If the Range option is chosen from the Event ID list then specifying a From and To values will filter the event logs accordingly.
  10. If you want to view the event log information related to a particular category, select the Category Type of event from the list box. The contents of this list box will change based on the Component Type and Log Type chosen.
  11. If you wish to generate the report for the event logs that contain a specific string of your interest, then you can provide such information in the Event Description text box. For example, if you provide ‘protocol’ in this list box, then the event logs that comprise the word ‘protocol’ alone will be reported. By default, "*" is specified against this field indicating that this report will include all the entries.
  12. The Event Log metrics reported by the eG agent also include the name/ID of the user who triggered the events. The User list in this page consists of these users only. If you want a report on the events triggered by a particular user, select a user from this list. For events associated with all users, go with the default All Users option.

  13. Provide a report Timeline. You can either select a fixed timeline such as 1 hour, 2 days, etc., or choose the Any option from the Timeline list, and then provide a From and To date/time for report generation.

    Note:

    For every user registered with the eG Enterprise system, the administrator can indicate the maximum timeline for which that user can generate a report. Once the maximum timeline is set for a user, then, whenever that user logs into eG Reporter and attempts to generate a report, the Timeline list box in the report page will display options according to the maximum timeline setting of that user. For instance, if a user can generate a report for a maximum period of 3 days only, then 3 days will be the highest option displayed in the Timeline list - i.e., 3 days will be the last option in the fixed Timeline list. Similarly, if the user chooses the Any option from the Timeline list and proceeds to provide a start date and end date for report generation using the From and To specifications, eG Enterprise will first check if the user's Timeline specification conforms to his/her maximum timeline setting. If not, report generation will fail. For instance, for a user who is allowed to generate reports spanning over a maximum period of 3 days only, the difference between the From and To dates should never be over 3 days. If it is, then, upon clicking the Run Report button a message box will appear, prompting the user to change the From and To specification.

  14. In large environments, reports generated using months of data can take a long time to complete. Administrators now have the option of generating reports on-line or in the background. When a report is scheduled for background generation, administrators can proceed with their other monitoring, diagnosis, and reporting tasks, while the eG manager is processing the report. This saves the administrator valuable time. To schedule background processing of a report, you can either select the Background Save - PDF option or the Background Save - CSV option from the Report Generation list. In this case, a Report Name text box will appear, where you would have to provide the name with which the report is to be saved in the background. To process reports in the foreground, select the Foreground Generation - HTML option from this list.

    Note:

    • The Report Generation list will appear only if the EnableBackgroundReport flag in the [BACKGROUND_PROCESS] section of the eg_report.ini file (in the [EG_INSTALL_DIR]\manager\config directory) is set to Yes.
    • The default selection in the Report Generation list will change according to the Timeline specified for the report. If the Timeline set is greater than or equal to the number of days specified against the MinDurationForReport parameter in the [BACKGROUND_PROCESS] section of the eg_report.ini file, then the default selection in the Report Generation list will be Background Save - PDF. On the other hand, if the Timeline set for the report is lesser than the value of the MinDurationForReport parameter, then the default selection in the Report Generation list will be Foreground. This is because, the MinDurationForReport setting governs when reports are to be processed in the background. By default, this parameter is set to 2 weeks - this indicates that by default, reports with a timeline of 2 weeks and above will be processed in the background.

  15. Finally, click the Run Report button to view the query results.

    Figure 2 : The Analysis of Windows Events

  16. The resulting report (see Figure 2) will consist of two sections - a Summary section that provides an event type-wise count of events, and a Details section that provides the details of events logged; these details include:

    • the event type
    • the date/time on which the event occurred
    • the event source
    • the event category
    • the event ID
    • the user who is responsible for the occurrence of the event
    • the system on which the event occurred
    • a detailed description of the event
  17. If the Background Save - PDF option is chosen from the Report Generation list, then clicking on the Run Report button will not generate the report and display it in this page for your benefit. Instead, a message indicating that the report is being processed in the background will appear. This will be accompanied by a link that will lead you to the page that lists all the reports that are being processed in the background, and their current status. If background report generation fails for a report, you can regenerate that report using this page, or can even delete that report if need be. On the other hand, if background processing successfully completes for your report, then, you can view a PDF of the report by clicking on the icon in that page.