Questions tagged [windows-event-log]

Question 1

We have a lot of event id 4624 type 3, 4627 and 4634 on a file server for a specific user and workstation. This started after a specific date and is continuous. Prior to that the event viewer logs ...

Question 2

I have an issue with WinRM certificate authentication on a Windows Server 2022 CIS STIGs image. The server is running the WinRM service, and I'm connecting from an Ubuntu Pro 20.04 FIPS client using ...

Question 3

About 4934(S): Attributes of an Active Directory object were replicated. Having two DC's - DC01 and DC02 in a domain TestDomain.local. Replication is happening between those 2 DC's without any issues. ...

Question 4

We have several SQL Servers on VM in Azure - Server 2016 Standard with SQL 2017 Standard. The system application logs are being spammed into oblivion by the Microsoft SQL VM Telemetry events with ID ...

Question 5

We have several SQL Servers on VM in Azure - Server 2016 with SQL 2017. I have disabled in the Azure Portal the SQL Server Automated Parching, BUT i keep getting every 30 seconds events in the system ...

Question 6

I need to check which application is installing or deleting a certificate in the Windows certificate store. Is there a an event ID related to this. Should I enable any event auditing policy for this ...

Question 7

I am trying to monitor folder creation, moves and renames for a certain directory. I have enabled "Audit File System" in group policy. And have configured the folder audit settings per below....

Question 8

Working on Domain Controllers running Windows Server 2022 21H2 I am getting a slew of Event 521 in Security log on about half of my DCs. The status code is 80000005, which I am told is a buffer ...

Question 9

I am using Alienvault to log our SIEM Events from our servers, and I am trying to find out how to debug what is causing this recurring Auditing Event in our Windows Event Logs. I have found out that ...

Question 10

I want to delete critical error found in both application and system logs in event viewer. I want this to be done every week, so I will be using task scheduler to perform this with a script. I am ...

Question 11

I have several failed connection attempts to my Windows 10 hosted SSH Server. Event log does not provide any information on the source IP and other remote network details. How to make this information ...

Question 12

We have an .aspx Asp.Net Web Forms C# application on IIS 10 on Windows Server 2022. Recently an issue occurred where the application pool assigned to the application stopped without a trace to ...

Question 13

Windows Server 2003 server running raid 1. It have several problem, one of the hard drives failed and lsass.exe crashes with error 0xc00002e1. I followed this: https://learn.microsoft.com/en-US/...

Question 14

I want to audit when every user logged into of logged off a server via RDP. When I run Get-EventLog or Get-WinEvent and filter for Login (Event ID 4624) and Logoff (Event ID 4634) events, I only am ...

Question 15

What event does Windows log when a component is registered with Windows "Add or Remove Programs" or more recently "App & features" dialog? While events with ID 11707 represent ...

Question 16

I have a test lab with a Windows Server 2019 host and a Windows 10 Pro host that connects to it, with a single user, me. I test our own software on it and that's it. Recently I am seeing this error:...

Question 17

We are using Windows Event Collector (WEF) to forward defined security events to a special server. After some days of using this solution, navigating to "Subscription" within the Event ...

Question 18

Shown below is a windows log event id 4624. The log seems to convey that the machine account server2$ is trying to interactively log in as UMFD-3 interactively. From my research, UMFD is a system ...

Question 19

I have created a simple test two liner ps script to backup parts of my event logs and the only one I can't backup is the forwarded events, is there a reason for this? The other logs back up fine with ...

Question 20

We use Windows Event Forwarding to centralize our Event Logs from around 100 Server. I get multiple same Events forwarded with same Timestamp. I can't find anything to change that. It looks like this: ...

Question 21

Afternoon and thanks for taking the time to read my question! I am testing WEC and have got it where the source device sends the logs to my collector but with some strange behavior. Both the collector ...

Question 22

Deploying new Windows Server 2022 VM. Our application - classic ISAPI with no managed code - writes events to the Application Event Log to track progress of certain processes, for debugging and ...

Question 23

I built a Windows Event Collector for the first time in our domain. The Collector server is Windows Server 2022. All the systems forwarding to it are Server 2019. The subscription is specifically for ...

Question 24

I am using powershell cmdlets to create a new event-log, register a source and log events. I experience some unexpected behavior. I created a new log with an arbitrary name by issuing the command: New-...

Question 25

I have a Server 2019 server that I configured Windows Event Collector on. I have six systems successfully sending logs to it (specifically AppLocker logs). I'd like to expand this to to about 20 ...

Question 26

NetSetupSvc is a helper service for installing network drivers and managing low-level network settings. It is trigger-started via RPC and automatically stops after 3 seconds. During normal operation ...

Question 27

I use signed PowerShell scripts within my infrastructure and log all PowerShell activity via Windows EventLog. Sadly it seem that windows does not log a hash or fingerprint of signed scripts or even ...

Question 28

In our environment, I've found a handful of Event ID 4776 The computer attempted to validate the credentials for an account. Shown below is the output of that event log and it seems the user in ...

Question 29

We are standing up a new environment and will be installing SIEM tools, etc. in the future. We have a few dozen Windows 2019 servers so far. I've been tasked with providing a solution for monitoring ...

Question 30

In an effort to try to remove the ability for users to print directly to an MFP shared printer, relegating the users to use their badge ID for more secure printing while in the office... Currently ...

Question 31

I'm working on a C# application, handling TCP sockets. I have a server application (Hercules) on the remote machine, trying to keep a socket open. I have my application on my machine, subscribing to ...

Question 32

Event with ID 7042 gets logged in the Event Log when two particular services (custom apps) stop on Windows Server 2022. The problem: one Windows Server is not logging those events. Is there an option ...

Question 33

On one of my windows server 2012 R2 (going to upgrade), my event logger has been filled with Event ID 36887 A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert ...

Question 34

Recently, we started seeing a phenomenon where any machine running Microsoft Teams (office 365 E3 version) will emit event 4673 at a high rate, indicating a failed attempt to use the ...

Question 35

Running Windows Server 2019 standard in a four node cluster. In the event viewer -> windows logs -> Application there are repeating entries. The message is 'Windows Installer reconfigured the ...

Question 36

I am trying to set GPO so that I can search user in event viewer who accidentally deleted the share drive in the network. What other event IDs list can I search so that I know which category it ...

Question 37

I have a Windows 10 system on which I have enabled removable storage audits (via GPO: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy ...

Question 38

Once in a while we get a notification that an account triggered too many failed kerberos pre-authentication attempts. This event contains the username and source machine. Here is an example: Kerberos ...

Question 39

I recently discovered that all of our Domain controllers are no longer logging AD account logon events (Outlook Web App login - SharePoint Login) to the Security Log. But it works for RDP. How could I ...

Question 40

When I logon to a specific machine in an Active Directory domain, the logon type recorded in Event Viewer is 10, but the same event log on the domain controller is 3. Why are the all of logon on the ...

Question 41

I want to monitor the deletion of files and folders on a Windows 2016 Datacenter Server. I'm already monitoring event ID 4663 and event ID 4659, which have the following description: 4659: "A ...

Question 42

I have a domain controller installed in my home office, 1 domain controller, 1 PC, 1 user. I'm running Microsoft Server 2019. When I look in the Security Event log, I see thousands of Logon (Event ID ...

Question 43

Ansible: 2.9 Windows: W2k16 Server I'm searching for a method to register (log) Ansible actions in remote Windows host. For example, when I work with win_command module for echo test command, I can't ...

Question 44

Say I factory reset a machine, or just installed Windows on it. Is there a way to use Get-WinEventLog to find a log message to indicate this is the first time since the installation of the OS that the ...

Question 45

I have a Windows Server which started logging this warning event 36/37 days before a certificate's expiry date and I would like to understand what controls/sets this timing and how it can be ...

Question 46

I want to write a powershell script that get executed whenever a new item/eventlog entry in the eventlog 'Microsoft-Windows-TerminalServices-Gateway/Operational' gets written. It is easy to create a ...

Question 47

i have created a task in Taskplaner that, whenever a new log-entry got created, it executes the following PS-script that should write the newly created eventlog-entry in a csv-file on storage. $date =...

Question 48

I have a Windows Server 2019 VM and am trying to collect some specific Windows Event Logs using Get-WmiObject In order to read an Event Logs channel in Applications and Services, I created a registry ...

Question 49

I am new to Windows Logs. When looking at events in the events viewer the failure status and sub status show cryptic values like 0xC000006D and 0xC0000064. Besides doing a google search is there any ...

Question 50

In my Windows Logs > Application I see these Warnings IP address 'xxx.xxx.xxx.xxx' could not be resolved: No such host is known. The IP is unknown to me. These Warnings get logged as: Log Name: ...