Logs monitor events occurring in the system and record hardware, software, and system issues. When an instance is attacked or an issue occurs on an application, you can locate the critical problems based on logs. This improves work efficiency and instance security. This topic uses Windows Server 2012 R2 as an example to describe how to use and analyze four types of logs.


You must have registered an Alibaba Cloud account before you follow the instructions provided in the tutorial. If not, create a new Alibaba Cloud account first.

Background information

Windows logs can be further divided into system logs, application logs, security logs, and application and service logs.

View logs in Windows Event Viewer

Perform the following steps to open Event Viewer:

  1. Click Start and open the Run dialog box.
  2. Run the eventvwr command in the dialog box to open Event Viewer.
  3. View the following four types of logs in Event Viewer:
    Note For IDs of all error logs found by using log-viewing methods described in this topic, you can find the corresponding solutions in the Microsoft Knowledge Base.
    • System logs

      In the left-side navigation pane, choose Windows Logs > System to view system logs.

      System logs contain events recorded by Windows system components. For example, the failure of a driver or other system components to load during startup is recorded in the system log.

      The types of events recorded by system components are predetermined by Windows.

    • Application logs

      In the left-side navigation pane, choose Windows Logs > Application to view application logs.

      Application logs contain events logged by applications. For example, a database program can record a file error in the application log.

      The types of the events recorded in application logs are determined by developers.

    • Security logs

      In the left-side navigation pane, choose Windows Logs > Security to view security logs.

      Security logs contain valid and invalid logon attempts and events related to resource use, such as creating, opening, or deleting files or other objects.

      The types of the events recorded in security logs are determined by administrators. For example, if logon auditing is enabled, the security logs will record logon attempts.

    • Application and service logs

      An application and service log is a new type of event log. Application and service logs contain events from a single application program or component rather than events that can affect the whole system.

Modify the log path and back up logs

By default, logs are stored on the system disk. The maximum size of logs is 20 MB. If the limit is exceeded, previous events will be overwritten. You can modify the log path as needed.

Perform the following steps to modify the log path and back up logs:

  1. In the left-side navigation pane of Event Viewer, click Windows Logs.
  2. In the right-side list, right-click a log name and choose Properties from the shortcut menu.
  3. In the Log Properties dialog box that appears, modify the following parameters:
    • Log path
    • Maximum log size (KB)
    • When maximum event log size is reached: