Event Viewer and Resulting Internet Communication in Windows Server 2008
Applies To: Windows Server 2008
In This Section
Benefits and Purposes of Event Viewer
Overview: Using Event Viewer in a Managed Environment
How Event Viewer Communicates with Sites on the Internet
Controlling Event Viewer to Prevent the Flow of Information to and from the Internet
Procedures for Preventing the Flow of Information to and from the Internet Through Event Viewer
Additional References
Benefits and Purposes of Event Viewer
Administrators can use Event Viewer to view and manage event logs. Event logs contain information about hardware and software problems and about security events on your computer. A computer running Windows Server 2008 records events in at least three kinds of logs: application, system, and security. A computer running Windows Server 2008 which is configured as a domain controller records events in two additional logs, the Directory Service log and the File Replication Service log. A computer running Windows Server 2008 which is configured as a Domain Name System (DNS) server records events related to DNS in an additional log.
Other types of events and event logs might be available on a computer, depending on what services are installed.
Forwarding and Collecting Events
Windows Server 2008 includes the ability to collect copies of events from multiple remote computers and store them on one computer. Forwarding and collecting events in this way can be carried out across the Internet and can use encryption or not, depending on how it is configured. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The configuration you create for forwarding and collecting events is called an event subscription.
The process of collecting events depends on the Windows Remote Management (WinRM) service and the Windows Event Collector service. Both of these services must be running on computers participating in the forwarding and collecting process. The WinRM service supports communication through HTTPS (you can specify that the events that you forward across the Internet are encrypted before being sent).
It is outside the scope of this white paper to fully describe event collecting, event subscriptions, the Windows Remote Management (WinRM) service, or the Windows Event Collector service. For more details about forwarding and collecting events, see Additional References, later in this section.
Overview: Using Event Viewer in a Managed Environment
In Windows Server 2008, you can view Event Viewer in Server Manager (Start\Administrative Tools\Server Manager) in the console tree under Diagnostics. You can obtain detailed information about a particular event by double-clicking the event (or through other methods, such as right-clicking and then clicking Event Properties). The dialog box gives a description of the event, and can contain one or more links to Help.
Links can either be to Microsoft servers or to servers managed by the vendor for the software that generated the event. On Windows Server 2008, in Event Properties, the link next to More Information is labeled Event Log Online Help. By default, Event Log Online Help uses the following URL and appends the information shown in How Event Viewer Communicates with Sites on the Internet, later in this section.
https://go.microsoft.com/fwlink/events.asp
When you click the link, you are asked to confirm that the information presented to them can be sent over the Internet. If you click Yes, the information listed about the event will be sent across the Internet. This information is described in more detail in How Event Viewer Communicates with Sites on the Internet, later in this section.
You might want to prevent users from sending this information over the Internet through this link and accessing a Web site. Alternatively, you may want to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization. In Windows Server 2008, you can control either of these through Group Policy.
You might also want to collect copies of events from multiple remote computers and store them on one computer. For information about this option, see "Forwarding and Collecting Events," earlier in this section and Additional References, later in this section.
How Event Viewer Communicates with Sites on the Internet
To access the relevant Help information provided by the link in the Event Properties dialog box, you must send the information listed about the event. The data collected is limited to what is needed for retrieving more information about the event from the Event Log Online Help. User names, e-mail addresses, and names of files unrelated to the logged event are not collected.
For information about the ability to collect copies of events from multiple remote computers and store them on one computer, see "Forwarding and Collecting Events," earlier in this section and Additional References, later in this section.
The communication across the Internet that takes place when a person clicks the Event Log Online Help link in the Event Properties dialog box is described in the following list:
Specific information sent or received: Information about the event sent over the Internet is appended to an URL, which by default is:
https://go.microsoft.com/fwlink/events.asp
The information appended to the URL includes:
Company name (software vendor)
Date and time
Product name and version (for example, Microsoft Windows Operating System, 6.0.nnnn)
Event ID (for example, 1010)
Event source (for example, Microsoft-Windows-Dhcp-Client)
Locale ID (for example, 1033 for English - United States)
The information that the user receives is the available information about the event, and may include additional links.
Default settings: Access to Event Viewer is enabled by default.
Triggers: The user chooses to send information about the event over the Internet to obtain more information about the event.
User notification: When a user clicks the link, a dialog box listing the information that will be sent is provided.
Logging: This is a feature of Event Viewer.
Encryption: The information may or may not be encrypted, depending on whether the link uses HTTP or HTTPS.
Access: No information is stored.
Privacy: Event information that is collected and sent to Microsoft when you click the Event Log Online Help link is used to locate, and then provide you with, additional information about the event. Microsoft does not use this information to contact you or identify you. The information is not stored.
Transmission protocol and port: Communication occurs over the standard port for the protocol in the URL, using either HTTP with port 80 or HTTPS with port 443.
Ability to disable: The ability to send information over the Internet or to be linked to a Web site can be prevented through a Group Policy setting.
Controlling Event Viewer to Prevent the Flow of Information to and from the Internet
You can prevent administrators from sending information across the Internet and accessing Internet sites through Event Viewer by configuring Group Policy. Alternatively, you can redirect the requests that result from a person clicking a link in Event Viewer so that the requests go to a Web server in your organization. You can control these by configuring Group Policy.
These Group Policy settings affect only the flow of information to and from an intranet or the Internet through Event Viewer, not the other functions of Event Viewer.
Procedures for Preventing the Flow of Information to and from the Internet Through Event Viewer
The following procedure tells how to use Group Policy to prevent users from sending information across the Internet and accessing Internet sites through Event Viewer.
To Use Group Policy to Prevent the Flow of Information to and from the Internet Through Event Viewer
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate Group Policy object (GPO).
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication Settings.
In the details pane, double-click Turn off Event Viewer "Events.asp" links, and then click Enabled.
Important
You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting, which is located in Computer Configuration under Policies (if present), in Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Server 2008.
The following procedure tells how to use Group Policy to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization.
To Use Group Policy to Redirect Links in Event Viewer to a Web Server in Your Organization
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Event Viewer.
In the details pane, double-click Events.asp URL, click Enabled, and then type the URL for the Web page that you want Event Viewer links to go to. Click OK.
In the details pane, double-click Events.asp program, click Enabled, and then type the path for the program to be used for displaying the URL that you typed in the previous step. If you want the page to be displayed in the Web browser and the Web browser is in the system path, you can type the name of the Web browser executable alone, for example, iexplore.exe.
In the details pane, double-click Events.asp program command line parameters, click Enabled, and then type any command line parameters required for the program you typed in the previous step. If the program you typed in the previous step does not use parameters, clear the text box.
Note
Even after the preceding settings go into effect, when users click a link in Event Viewer, the user notification still appears, stating that Event Viewer will send information across the Internet and asking for confirmation. Regardless of the user notification, if you carry out the preceding procedure and redirect events to a Web server in your organization, the information goes to that server, not across the Internet.
Additional References
For information about how to configure event forwarding and collecting, see the TechNet Web site at:
For detailed information about the WinRM service (one of the services used for event forwarding and collecting), see the MSDN Web site at:
For information about the Event Collector SDK, see the MSDN Web site at: