Overview
Windows NT has featured event logs since its release in 1993. Applications and operating system components can make use of this centralized log service to report events that have taken place, such as a failure to start a component or complete an action. The system defines three log sources: System, Application and Security.
The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user's authentication fails, the system may generate Event ID 672.
Windows NT 4.0 added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.
Windows 2000 added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log files. Windows 2000 also replaced NT4's Event Viewer with a Microsoft Management Console (MMC) snap-in.
Windows Server 2003 added the AuthzInstallSecurityEventSource API calls so that applications could register with the security event logs, and write security audit entries.
Versions of Windows based on the Windows NT 6.0 kernel (Windows Vista and Windows Server 2008) no longer have a 300-megabyte limit to their total size. Prior to NT 6.0, the on-disk files were opened as memory-mapped files in kernel memory space, which used the same memory pools as other kernel components.
Read more about this topic: Event Viewer