Accessing Event Viewer Logs on Remote Computers
Information Technology (IT) staff needs access to the Event Viewer logs on Windows Servers and clients for many reasons. Network administrators are interested because they are responsible for monitoring and managing the Windows Servers. Security professionals are interested in the Event Viewer security logs to look for any suspicious activities and security violations. Help Desk is interested in troubleshooting user login issues and account lockouts. Accessing the Event Viewer logs on a local computer is not a problem, but IT staff often needs access to these logs on the remote computers (servers and workstations). You can use the Event Viewer tool to connect to Event Viewer logs on remote computers. In this article I will show you how. I will also walk you through the steps for creating a custom console so you can monitor Event Viewer logs on multiple computers from a single console.
NOTE: As long as you have the necessary permissions, you can access Event Viewer logs on all remote Windows computers: Windows servers and clients. |
Accessing Remote Computer’s Event Viewer
- Log in to the local computer as an administrator.
- Start the Event Viewer. For example, on Windows 10 computer type Event Viewer in the search box. You can also type EventVwr <computername> at the command prompt, where <computername> is the name of the remote computer.
- You will be connected to the remote computer right away, but you may not have the rights to view the Event Viewer logs if you don’t connect to the remote computer with the proper permissions. For example, if are logged in to a Windows 10 computer as a standard user and you connect to a Domain Controller (DC) you may get the following error message:
Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. Access is denied (5)
- In the Event Viewer console, right-click Event Viewer (Computername), where computername is the name of the computer you are connected to. Make sure you highlighted the very top item in the navigation pane (Event Viewer Computername) or else the Connect to Another Computer option won’t be available.
- Select Connect to Another Computer.
- Type the computer name of the other computer, e.g. DC1, and check the box Connect as another user: <none>. Now you can provide the credentials for a user that has access to the remote computer, e.g. CONTOSO\Administrator.
- Click OK twice and you will have access to the Event Viewer logs on the remote computer. You can view the events, copy the events, save the entire log, or take other actions just as you were able to do locally on the remote computer.
Viewing Remote Logs for Multiple Servers in a Single Console
As I stated earlier, IT staff is often interested in accessing Event Viewers on multiple computers. However, the Event Viewer is designed to view logs on one computer at a time. To view event logs of multiple computers, network administrators can create a custom Microsoft Management Console (MMC). MMC is a built-in tool available on all Windows computers.
- In the search box type MMC and press Enter.
- In the User Account Control window click Yes.
- In the new MMC console select File -> Add/Remove Snap-in… to create a new MMC console.
- You can now customize the console to add any tools you need. We want to add the Event Viewer for multiple computers so you will look for the Event Viewer in the Available snap-ins section and click Add to add it to the Selected snap-ins section.
- Repeat the above step to add Event Viewer for all the remote computers you want to monitor. If you configure this MMC console on a Domain Controller, you don’t need to provide the necessary credentials to add DCs or member servers because you will have the required permissions. If you are creating the custom MMC on a workstation then provide the credentials as necessary.
- If you add the Event Viewer for the local computer and two Domain Controllers (DC1 and DC2) in Contoso domain, your screen may look something like this.
- Click OK and then save the MMC from the File menu. Give it an appropriate name, e.g. Custom Event Viewer Console. By default, the MMC will be saved to the Windows Administrative Tools. If you don’t want to save it there, you can save it to your desktop or somewhere else.
NOTE: Unlike a built-in MMC, which doesn’t allow you to save customized settings, a custom MMC that you create will remember your personalized settings. Just remember to save the MMC if you add new snap-ins to the console or customize the settings.
Thanks for reading my article. If you are interested in IT consulting & training services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. |
Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.
Hi Alexander
We are working in a Domain Environment When checking the Security log in Event Viewer, user end computer then we are getting return error (“Event viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. Access is denied (5)”)
Note :- Security log successfully check with local admin Login. but when we are checking log wih AD user we are getting error.
Please help me asap.
Hi Napendra,
Looks like the user doesn’t have the proper permissions in the registry. Try the fix provided by Microsoft at https://support.microsoft.com/en-us/help/2751670/we-are-seeing-an-error-where-we-are-unable-to-access-the-security-log.
Hi Alexander,
I have installed windows Virtual machine in my computer .when i try to access windows event log of remote machine i.e windows virtual machine , from local computer it showing like Access denied .
Please help me asap.
Shivraj, how are you trying to access the Event Viewer of the virtual machine? Are you using Event Viewer from your host machine to connect to Event Viewer in the VM, or you are trying to access the Event Viewer while you are connected to the “VM Console” in Hyper-V? Please make sure that you are logged into both computers as an administrator.
Hello Everyone,
I have a concern in about few months for computer names on my event viewer.
I’m not technically sure why after a fresh format with windows 10 I see also a different computer name on event view list (windows logs & custom views).
I have also blocked the remote access because I’m concerned if someone has hacked me,but I still see a different computer name ,which is exactly “WIN-FDBVR6DS5SL” . Maybe this is a windows user/computer-name but I’ m not sure.
If anyone could explain I would really appreciate.
Regards
Hi Lorenc, when you install a fresh copy of Windows 10, the computer randomly generates a computer name, similar to the one you have mentioned, because it doesn’t know what name to use. However, if you upgrade a computer, its name will remain the same. You can simply rename the computer (up to 15 characters). Use my article on how to rename the computer and to follow best practices for computer name: https://www.zubairalexander.com/blog/windows-computer-name-best-practices-and-recommendations.
You may want to mention that the Connect to Another Computer option is only available if you are clicked on the top item in the left hand navigation pane. If you are clicked anywhere else the option is not there.
@Kim: I thought I already made that clear because in step #4 I said to right-click Event Viewer (Computername), which is the top item in the navigation pane. Anyway, I’ve reiterated the point in the next sentence per your suggestion. I appreciate your feedback. Thanks.
Thank you for sharing this information. It really helped.