Event Log Explorer blog

Windows Event. Level, Keywords or Type.

When you take the first look to Event Log Explorer, you may notice Type column in the event list. In the same time, Windows Event Viewer doesn’t have this column, which may confuse you.

If you worked with Windows Event Viewer in old times (with Windows XP or below), you could see the Type column. There were 5 types of events that can be logged in the classic Windows event log: Error, Warning, Information, Audit Success, and Audit Failure. The last 2 types were used for the Security log only.

Since Windows Vista (Windows Server 2008), Microsoft removed Type from the event schema and replaced it with Level. Windows uses the following levels: Critical, Error, Warning, Information, Verbose (although software developers may extend this set and add own specific levels). These levels define event severity, but they don’t define auditing status (success or failure). There is a new event attribute called keywords. Keywords is a 64-bit mask, every bit of each may represent a keyword. 2 bits of this mask represent Audit Success and Audit Failure events.

When a modern Windows Event Viewer displays the Security event log, it shows Keywords column and hides Level column by default. When it displays the other logs, it shows Level and hides Keywords. We believed that this behavior is not very smart and decided to leave classic behavior. So, we added Type column and removed Level and Keywords from the event list. When Event Log Explorer displays events, it defines the source of the event first. If this is an audit event from the Security log, it checks the keywords and displays either Audit Success or Audit Failure as the event type. If this event is not from the security log, it displays the event level as a type. We believe that this approach is better because we can merge security and other events in one list and show only one column for this. And this provides better compatibility with classic event logs as well.

Anyway, if you need to access real level and keywords attributes, you can always doubleclick on the even and check the XML representation of the event.

Download Event Log Explorer right now and check the benefits it brings in comparison with Windows Event Viewer.

Exit mobile version