3

Hi I have a Windows 2012 Server and would like to do some event logging.

But when I go to the event logger I am unable to Enable Logging for the desired events. (I'm logged in as the Administrator account)

Everything is greyed out, the Log path is not available (which is the only thing I can change, but it doesn't save when I press "ok")

I tried right click on the Event Log and choose "Enable Log" but it doesn't work. I tried enabling Auditing in the GPO but that didn't work either.

enter image description here

I have been looking at the GPO and Register but can't find anything related. How can I enable logging on the server?

Another odd thing is that there are a lot of other applications showing under "Applications and Services logs" which usually isn't the case. Normally there is only the "Microsoft" subfolder.

enter image description here

Gilles Lesire
  • 243
  • 1
  • 3
  • 13
  • 1
    Have you tried to right-click the log in event viewer and enable it? You also have to disable it before you can view it. – Appleoddity May 10 '18 at 03:26
  • Yes of course. I tried that and it had zero effect. – Gilles Lesire May 11 '18 at 06:05
  • Set _Log Path_ to something like `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx` and then try `Apply` button. Are you logged in as local or domain admin? – JosefZ May 18 '18 at 09:42
  • It doesn't work, I can't apply. When I press okay the path remains "Not available". I tried this with a local Admnistrator account and a domain account with Administrator rights. Both without success. An other odd thing is that in the event viewer there are many other application logs showing. Which isn't the case on other servers where this issue doesn't arise. (I added a screenshot to my original post.) – Gilles Lesire May 18 '18 at 14:51

2 Answers2

0

Came across this issue recently with the Application, Security and System event logs on machines where we had a script applying AutoBackupLogFiles and Flags DWORD's to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security. For some reason a few machines showed these values as Strings instead of DWORD's. If either value is set as a String, the event log properties will show the path of Not Available and you won't be able to adjust any of the options.

Deleting the registry Flags and/or AutoBackupLogFiles String item and replacing with a similar DWORD item should resolve the issue.

tehMichael
  • 1
  • 1
0

Sorry for not having a sure answer, but I could not reproduce this on 2008 and 2012r2 - all the logs under Microsoft have editable options. I also don't have such logs folders on any of the PCs I checked. Makes one wonder what the heck created all of those. The lower-case 'microsoft' under the standard 'Microsoft' is a red flag for me.

For what it's worth, all the Microsoft events are under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels. There is an Enable option for each of them, so you could resort to modifying that directly to enable the log. The fact that your option is greyed out makes me think that it's either a registry permission issue, or a ChannelAccess permission issue (each log has a Windows permission string defined, which is news to me since the Event Log does not expose any permissions UI). I would also try running eventvwr.exe as SYSTEM using PsExec.

The log path for that particular log you screenshotted should be %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx. I would also check if the permissions - and the actual files - in that folder are intact. No idea what causes it to say "Not Available". This path is not stored in the registry, or at least, not in an obvious way, which makes it even more strange.

theultramage
  • 413
  • 1
  • 5
  • 15