Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [windows-event-log]

"Event log" usually refers to the system/server logs on Microsoft Windows machines.

"Event log" usually refers to the system/server logs on Microsoft Windows machines.

617 questions
4
votes
1 answer

System Account Logon Failures every 30 seconds

We have two Windows 2008 R2 SP1 servers running in a SQL failover cluster. On one of them we are getting the following events in the security log every 30 seconds. The parts that are blank are actually blank. Has anyone seen similar issues, or…
floyd
  • 1,530
  • 4
  • 19
  • 30
4
votes
1 answer

40k Event Log Errors an hour Unknown Username or bad password

I am getting about 200k of these an hour: An account failed to log on. Subject: Security ID: SYSTEM Account Name: TGSERVER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 4 Account For Which Logon…
ErocM
  • 226
  • 7
  • 23
4
votes
2 answers

How to find log about uninstalling program on windows server 2008 R2?

I want to know who and when uninstall the special program at windows server 2008 R2, but I can't find helpful post that describe how to do it, so I create this question, hope someone could help me!
dazhi
  • 41
  • 1
  • 1
  • 2
4
votes
2 answers

Forwarded Event Logs

I went ahead and successfully configured event fowarding and subscriptions (winrm/wecutil). Now is it possible to have all logs that have already happened to be fowarded to my collector? Or is it only events going forward that will be logged?
Rome
  • 43
  • 3
4
votes
1 answer

Where can I view active directory failed logon attempts?

I do not see any failed logon attempts in my windows sever 2003 security event log (I see only successful ones). However, I have a user that is getting locked out very often and I need to try to determine why. Is there a setting that might be…
Scott Szretter
  • 1,882
  • 11
  • 43
  • 66
4
votes
2 answers

Piping powershell messages to Write-EventLog

I have a powershell script that runs a custom cmdlet. It is run by Task Scheduler and I want to log what it does. This is my current crude version: Add-PsSnapIn MyCmdlets Write-EventLog -LogName "Windows Powershell" -Source "Powershell" -Message…
Richard
  • 272
  • 4
  • 18
4
votes
5 answers

Logs worth to keep and analyze in a central repository

In the need to centralize logs we have selected syslog as the collector and Splunk (free for now) as the analysis tool, but there's always the question about which events should get to the central repository and from which systems. The selection…
chmeee
  • 7,370
  • 3
  • 30
  • 43
4
votes
2 answers

Access denied error 3221225578 with file sharing to Windows server

i'm trying to access the shares on a server. The credential box appears, and i enter in a correct username and password, and i get access denied. The silly thing is that i can Remote Desktop to the server (using the same credentials), and i can…
Ian Boyd
  • 5,293
  • 14
  • 60
  • 82
4
votes
4 answers

How can I view login/logoff times for Windows Server 2008?

I use Windows Server 2008 at my workstation and sometimes work from home. Is there an easy way of viewing the login and logoff times from the event viewer so I can see how many hours I was logged in or simply to find out when I started working?…
Chris
  • 183
  • 3
  • 3
  • 6
4
votes
2 answers

troubling anonymous Logon events in Windows Security event log

I have a dedicated server hosted on Rackspace Cloud, and this morning as I was casually checking the Security event log, I saw a series of successful Logon events that are troubling. It appears random IPs are successfully "logging in" to my server…
blackcoil
  • 41
  • 1
  • 1
  • 3
4
votes
2 answers

Event ID for modified GPOs

I have to know, who (usersid or loginname) changed a specified GPO for a specified OU in the Active Directory. Given our audit settings include this, what would be the right Event ID to look for?
Hinek
  • 155
  • 2
  • 8
4
votes
1 answer

An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {45FB4600-E6E8-4928-B25E-50476FF79425}

I'm getting the following error message in Azure Windows 10 Application Event log periodically: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {45FB4600-E6E8-4928-B25E-50476FF79425} was…
Maxim Masiutin
  • 273
  • 1
  • 5
  • 15
3
votes
2 answers

How do I interpret ID 4624 Type 3 events on a domain controller?

I'm seeing a lot of ID 4624 Events (Logon Type 3) on a domain controller (Windows Server 2012) and I'm wondering what those events want to to tell me. I've read that 4624 Type 3 events on a domain controller say that there was a network logon on the…
mr.proton
  • 133
  • 1
  • 3
3
votes
0 answers

[WINDOWS]: identifying new protected accounts based on ID 4780

As a security best practice, I would like to keep track in my Windows Active Directory domain of any new "Protected Accounts and Groups". According Microsoft, this concerns any user or group which is directly or indirectly member of those specified…
Michel de Crevoisier
  • 571
  • 4
  • 9
3
votes
2 answers

Windows Server File Share Audit File Attribute Modification

My goal is to identify what user has set the Hidden attribute on a file within the local file share. I have enabled File Share access auditing as per this article. In short: Added a group policy entry to enable certain accesses to be written to…
Tony Sepia
  • 187
  • 6
1 2 3
41 42