How to View Event Viewer Logs on Windows Server

Event Viewer is Windows Server’s built-in log viewer — it records everything from application errors and security events to hardware warnings and service failures. When something goes wrong on a server, Event Viewer is usually the first place to look. Here is how to use it effectively.

Opening Event Viewer

Several ways to open it:

• Press Win + R and type eventvwr.msc
• Search for “Event Viewer” in the Start menu
• Right-click the Start button → Event Viewer
• In Server Manager, go to Tools → Event Viewer

Understanding the Log Structure

The left panel shows the log hierarchy:

• Windows Logs: the core logs you will use most often
  • Application — errors and events from applications and services running on the server
  • Security — login attempts, account changes, policy changes, and audit events
  • System — events from Windows components — driver errors, service failures, hardware issues
  • Setup — Windows installation and update events
• Applications and Services Logs: application-specific logs — IIS, DNS, DHCP, Active Directory, and others each have their own log here

Event Severity Levels

Each event has a level indicator:

• Information (white i): normal activity — service started, backup completed, etc. Most events are Information level.
• Warning (yellow triangle): something potentially worth attention but not yet a failure — low disk space, a service taking longer than expected to start
• Error (red circle with X): something failed — an application crashed, a service failed to start, a driver reported an error
• Critical (red circle with exclamation): a severe failure that may have caused data loss or requires a restart

Do not panic at every error — Windows logs hundreds of events per day, and many errors are routine. Focus on clusters of errors, errors at the time of a problem, or errors from critical services.

Filtering Events

Raw logs are noisy. Use filters to find what matters:

1. Select a log (e.g. System) in the left panel
2. Click Filter Current Log in the right-hand Actions panel
3. Filter by:
   • Event level: tick Error and Critical to see only failures
   • Event sources: filter to a specific service or application (e.g. “disk” for disk errors)
   • Date and time range: narrow to the window when a problem occurred
   • Event IDs: if you know the specific event ID you are looking for

Key Event IDs to Know

Some event IDs worth knowing by memory:

• System log — Event ID 41: unexpected restart (system crashed or lost power without proper shutdown)
• System log — Event ID 6008: unexpected shutdown — the OS noted the previous shutdown was unexpected
• System log — Event ID 7034/7036: a service terminated unexpectedly / a service entered stopped state
• System log — Event ID 7023: a service terminated with an error
• System log — Event ID 1001: Windows Error Reporting — often appears after crashes
• Security log — Event ID 4625: failed login attempt
• Security log — Event ID 4624: successful login
• Security log — Event ID 4740: account locked out
• Disk errors — Event ID 7: disk I/O error — the disk reported an error. Multiple instances suggests a failing drive.
• Application log — Event ID 1000: application crash

Creating a Custom View

Custom views let you save a filtered view for repeated use:

1. Right-click Custom Views in the left panel → Create Custom View
2. Set your filters (e.g. Error and Critical across all Windows Logs)
3. Give it a name (e.g. “All Errors”) and click OK

The built-in Administrative Events custom view already shows all Critical, Error, and Warning events across all logs — it is a good starting point for a daily health check.

Checking Event Viewer Remotely

To view another server’s logs without logging in directly:

1. In Event Viewer, right-click Event Viewer (Local) at the top of the left panel
2. Select Connect to Another Computer
3. Enter the server name or IP address

Requires appropriate permissions (local admin or Event Log Readers group) on the target server.

Using PowerShell to Query Event Logs

For scripting or when GUI access is not available:

# Get last 20 errors from the System log
Get-EventLog -LogName System -EntryType Error -Newest 20 | Select-Object TimeGenerated, Source, EventID, Message | Format-Table -Wrap

# Get events from the last hour
Get-WinEvent -FilterHashtable @{LogName='System'; Level=2; StartTime=(Get-Date).AddHours(-1)}

Related Guides

• How to Check Disk Space on Windows Server
• How to Safely Restart Windows Server
• How to Check Who Is Logged Into Windows Server