Open Filter Security Event Log and to track user logon session, set filter Security Event Log for the following Event ID’s: • Logon – 4624 (An account was successfully logged on) • Logoff – 4647 (User initiated logoff) • Startup – 6005 (The Event log service was started) All the events stored back to the eventvwr console automatically. Looking at the server event log is a critical part of taking care of your Windows servers and your network as a whole. Windows event log is a record of a computer's alerts and notifications. The Windows Event Logs. In fact, it isn’t difficult to code your own log that will be placed in the same view. 6006: The Event Log service was stopped. In our case, we want to filter on Event Source: USER32. Start by going into Event Viewer (Windows+R or the Start Menu and type eventvwr.msc). Go to C:\Windows\System32\winevt\logs folder and Right Click on system and application event --> Click on properties --> Uncheck Read only option--> click on Apply and Ok. 2. To launch the Event Viewer, just hit Start, type “Event Viewer” into the search box, and then click the result. Launching the Event Viewer. Original product version: Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 Original KB number: 260729. Navigate to the System Log under Windows, we then want to use Filter Current Log to allow us to only show Events with certain attributes (such as Source or IDs). Quickly specify and automatically send events from workstations and servers, export event data from Windows servers and workstations, and specify events to forward by source, type ID, and keywords. Since the first server operating system from Microsoft, the Windows system has used the Event Log program to record and view log entries from at least three sources: System, Security, and Applications. Start the windows eventlog service now and it will run fine with out any issues. Event Log Forwarder Forward Windows events to your syslog server to take further action. Indicates the proper system shutdown. 6005: The Event Log service was started. This article introduces how to enable schannel event logging in Windows and Windows Server. The log entries are also sent to the Windows application event log. Indicates the system startup. Right-click on the Admin log and click Save All Events As. Without keeping track of logs, you can miss important issues in your IT environment, and you won’t be able to troubleshoot problems as quickly. Summary Events are placed in different categories, each of which is related to a log that Windows keeps on events regarding that category. SQL Server operations like backup and restore, query timeouts, or slow I/Os are therefore easy to find from Windows application event log, while security-related messages like failed login attempts are captured in Windows security event log. Performance & Maintenance Read Shutdown Logs in Event Viewer in Windows in Tutorials How to Read Shutdown and Restart Event Logs in Windows You can use Event Viewer to view the date, time, and user details of all shutdown events caused by a shut down (power off) or restart. Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause. Step 1 -Hover mouse over bottom left corner of desktop to make the Start button appear Step 2 -Right click on the Start button and select Control Panel → System Security and double-click Administrative Tools Step 3 -Double-click Event Viewer Step 4 -Select the type of logs that you wish to review (ex: Application, System, etc.) Forwarding Logs to a Server Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." Expand Applications and Services, then Microsoft, Windows, and PrintService. To download the Admin log… On the affected Windows system (this could be either the client or server), open Event Viewer by pressing Windows key + R, then type eventvwr.msc and hit the enter key. 3. 6008 How to check event logs in Windows Server 2012?