Analyzing the SharePoint 2013 Diagnostic Logs

The Windows Event Log and the ULS trace logs are usually the first place to look when you encounter a problem in your SharePoint 2013 deployment.

The Windows Event Log enables you to draw errors and unexpected events to the attention of the IT team, who will typically monitor Windows Event Logs on an ongoing basis. The ULS trace logs typically provide more comprehensive information that enables you to investigate problems in more detail.
 
You can configure the level of logging to both the Windows Event Log and the ULS trace logs for individual categories and subcategories. In some circumstances, you may want to  change these event throttling settings on a temporary basis to assist you with specific troubleshooting. For example, if users are experiencing difficulties with Visio Services, you may want to increase the logging verbosity for the Visio Graphics Service category until the issue is resolved.

Correlation IDs

SharePoint assigns a correlation ID to every request it receives. The correlation ID is a Globally Unique IDentifier (GUID). Whenever SharePoint presents an error to an end user, it includes the correlation ID as part of the error message. Every entry in the ULS logs also includes a correlation ID. Searching for the correlation ID in the ULS log files is an effective way of finding all the log entries that relate to a specific error or unexpected condition.

ULSViewer

When SharePoint writes an entry to the ULS log files, it records a number of property values for each log entry. These include:
  • Timestamp. This is the date and time at which the event occurred.
  • Process. This is the system process in which the event occurred, for example, Owstimer.exe (SharePoint timer jobs) or W3wp.exe (IIS).
  • Area. This corresponds to the top-level event category in Central Administration.
  • Category. This corresponds to the second-level subcategory in Central Administration.
  • Level. This is the severity of the event, for example, Medium, High, or Unexpected.
  • Message. This provides a description of the event.
  • Correlation. This is the correlation ID that uniquely identifies the event occurrence.
Viewing this information in a text file format can be somewhat daunting and difficult to read. ULS log files contain a great deal of information and it can be challenging to find the detail you need in an unformatted text file. However, there are a range of applications available that can open ULS log files in a more user-friendly format. One such application is ULSViewer. This is an unsupported application, made available by Microsoft, that enables you to view ULS log files interactively. For example, ULSViewer enables you to:
  • View data in a tabular format.
  • Highlight important data and hide unimportant data.
  • Filter and sort by severity, correlation ID, category, or any other properties.
  • Create alerts that prompt you when specific events occur.
Using tools such as ULSViewer can make troubleshooting issues using the ULS logs a faster and easier process.