ILOM and ipmitool event log differences

Similar Messages

• I wonder to know what is the enterprise solution for windows and application event log management and analyzer

  Hi
  I wonder to know what is the enterprise solution for windows and application event log management and analyzer.
  I have recently research and find two application that seems to be profession ,1-manageengine eventlog analyzer, 2- Solarwinds LEM(Solarwind Log & Event Manager).
  I Want to know the point of view of Microsoft expert and give me their experience and solutions.
  thanks in advance.

  Consider MS System Center 2012.
  Rgds

• Export all Errors and warnings event logs from Application, security and system for last 24 hours and send it to IT administrators.

  Dear Team,
  I want a powershell script to export servers event logs into excel and it send that file to IT administrators.
  Excel format:
  Server Name, Log Name, Time, Source, Event ID and Message.
  Require logs:  
  Application, Security, System, DFS Replication and Directory service.
  And these excel file has to be send to Email address.
   And it would be good, if i get a script same for Hard disk space and RAM and CPU utilization.

  Here are some examples:
  http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=logs&f%5B0%5D.Text=Logs%20and%20monitoring&f%5B1%5D.Type=SubCategory&f%5B1%5D.Value=eventlogs&f%5B1%5D.Text=Event%20Logs
  ¯\_(ツ)_/¯

• ZLM Event Log and System Event Log

  I just created my base ZLM server using version 7.3 and updated a test SLES 10 server to use the 7.3 agent. The SLES server was running sp1 and running the 64-bit OS. I was able to successfully upgrade the server to sp2 but I noticed I don't get any entries in the event or system event log areas. This is under the Devices > Servers > Server name I could tell if the bundles installed successfully or the device was refreshed. I don't get anything now. Any thoughts or suggestions on how to fix this?

  Oops. Sorry. Here is the output from rug ping
  ZMD 7.3.0, Copyright (C) 2009 Novell, Inc.
  Started at 4/15/2009 2:13:14 PM (uptime: 1 days, 23 hours, 33 minutes)
  RSS size: 141440
  Network Connected: Yes
  Running on Mono 1.2.6
  OS Target: SUSE Linux Enterprise Server 10.2 (x86_64)
  Module Name | Description
  -------------------+-------------------------------------------------
  Image Agent Module | Novell ZENWorks Imaging Agent
  Policy Manager | Manages policy enforcement on the device
  Settings | Handles Settings refresh events.
  TessModule | Tess Module
  Inventory | Software and Hardware inventory module for Linux
  NetworkManager | NetworkManager support
  Package Management | Package Management module for Linux
  RMModule | Remote Management module
  ZENworks Server | SOAP methods used by a ZENworks server
  Scheduled Actions | Scheduled Actions module for ZMD
  XML-RPC interface | Export ZMD public interfaces over XML-RPC
  log level is set to info
  log-level | info | Logging level (off, fatal, error, warn, info, debug)

• Rescue and Recovery & Event Logs

  I have the latest version of R&R installed on my G41 ThinkPad. I use it to backup to
  both my HDD and a USB HDD (which is bootable).
  Whenever I run R&R, either by pressing the blue Access IBM button, or choose to boot
  from my USB drive, and get into the R&R PreBoot Menu, when I try to view Event Logs
  I'm told that the logfiles are unavailable (not found).
  I've repaired R&R from the Control Panel several times with no helpful results.
  How can I get R&R to show me the Event Logs (when I might really need them)?
  If I can boot into Windows, this would be no problem - but if I can't boot into Windows,
  this might be the only way I could find out what I really needed to know and to do.
  This used to work on earlier R&R versions. How can I get it to work on the latest one?
  Bob Stockler
  G41 - 2886-5TU - Mobile Pentium 4 532 - 3.06 Gh
  2 Gb RAM - 80 Gb Toshiba 5400rpm HDD - Win XP Pro

  About 6 PM on 09/30/2008 I removed R&R from my system and re-installed it.
  The next day I executed RRUTILS -L3 and that disclosed these log files in my
  Predesktop Partition:
     09/17/08 00:00:00 AM   18296 Install.log
     10/01/08 00:00:00 AM  263480 fastrestore.log
     10/01/08 00:00:00 AM   24540 TpmInstall.log
     10/01/08 00:00:00 AM    7650 setupact.log
     10/01/08 00:00:00 AM 4905759 setupapi.log
     08/31/08 00:00:00 AM        setuperr.log
     10/01/08 00:00:00 AM        sam.log
     10/01/08 00:00:00 AM        security.log
     05/14/08 00:00:00 AM        software.log
     10/01/08 00:00:00 AM    3576 replog.log
     10/01/08 00:00:00 AM    6978 wbemcore.log
     08/31/08 00:00:00 AM   53324 wbemess.log
     10/01/08 00:00:00 AM    4165 wbemprox.log
     08/31/08 00:00:00 AM     947 wmiprov.log
  I had used the newly installed to make a Base Backup over night.
  I'd still like to know what program is supposed to copy my Event Logs into the
  Predesktop Partition.
  Bob Stockler
  G41 - 2886-5TU - Mobile Pentium 4 532 - 3.06 Gh
  2 Gb RAM - 80 Gb Toshiba 5400rpm HDD - Win XP Pro

• Missing VSS System Writer and CAPI2 error in Event Log

  Hello,
  I'm having problems with making full system backup of Windows 2008 R2 x64. It looks like this is related to missing VSS System Writer. When I'm running command "vssadmin list writers" there is no System Writer in writers list and in event log CAPI2 error (event ID 513) is showing with this description:
  Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
  Details:
  TraverseDir : Unable to push subdirectory.
  System Error:
  Unspecified error
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
  <EventID Qualifiers="0">513</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2010-03-14T01:06:35.639125000Z" />
  <EventRecordID>207975</EventRecordID>
  <Correlation />
  <Execution ProcessID="968" ThreadID="11588" />
  <Channel>Application</Channel>
  <Computer>System3</Computer>
  <Security />
  </System>
  <EventData>
  <Data>Details: TraverseDir : Unable to push subdirectory. System Error: Unspecified error</Data>
  </EventData>
  </Event>
  any idea what could be wrong?
  Thanks in advance

  Hello ,
  Based on the research, the VSS System Writer runs in the context of CryptSvc service on Windows Server 2008. To make the system writer works normally, please open services
  console to verify that the Cryptographic Services logon as the credentials of the "Network Service" account.
  The VSS system writer can be missing due to several reasons,  to isolate this issue, please refer to the following steps to boot the problematic server with clean
  boot mode to perform the test.
  Steps: Clean Boot
  1. On a problematic server perform a clean boot and check if the issue still exists
  2. Click Start->Run...->type msconfig and press Enter
  3. Click Services tab and select Hide All Microsoft Services and Disable All third party Services.
  4. Click Startup tab and Disable All startup items
  5. Click OK and choose Restart
  After the server reboot, please run "vssadmin list writers" to check if the "System Writer" can be displayed.
  If the issue still exists, please open a CMD prompt as Run As Administrator and type the following commands to see if it the system writer will be occure.
  CD c:\windows\system32
  Takeown /f %windir%\winsxs\filemaps\* /a
  icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
  icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
  icacls %windir%\winsxs\filemaps\*.* /grant "BUILTIN\Users:(RX)"
  Moreover, based on the experience, it has been reported that there is some permissions issue which can cause this kind of issue. Please follow the steps below and check
  if it can be helpful.
  On domain controller
  1. Open Active Directory Users and Computers
  2. Click View and then "Advanced features"
  3. Right Click built and click properties.
  4. Click security tab.
  5. Grant read permission to 'Authenticated Users'
  6. Click Apply and OK.
  7. Restart Cryptographic Services.
  Note: By Default, it should have read permission for the system to take system state backup.
  Hope this can be helpful.
  MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin

• Remote desktop fails, can still connect to event log and services.

   I am unable for some reason to remote into a machine that I've been able to before.  This occurred after it installed automatic updates.  At the moment I can connect to
  services and the event log from another machine with the same credentials, but I can't log onto the machine itself.  Is there any way to reset this info or such.  This machine is a part of a domain and can read credentials from the domain controller. 
  I also do know that remote desktop is enabled.
  The following error occurs in the even log on the affected machine.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2013-03-21 10:28:23 AM
  Event ID:      5061
  Task Category: System Integrity
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      ****
  Description:
  Cryptographic operation.
  Subject:
      Security ID:        SYSTEM
      Account Name:        ****$
      Account Domain:        *******
      Logon ID:        0x3e7
  Cryptographic Parameters:
      Provider Name:    Microsoft Software Key Storage Provider
      Algorithm Name:    RSA
      Key Name:    TSSecKeySet1
      Key Type:    Machine key.
  Cryptographic Operation:
      Operation:    Decrypt.
      Return Code:    0xc000000d
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5061</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12290</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2013-03-21T14:28:23.339874500Z" />
      <EventRecordID>937125</EventRecordID>
      <Correlation />
      <Execution ProcessID="500" ThreadID="548" />
      <Channel>Security</Channel>
      <Computer>**********</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-5-18</Data>
      <Data Name="SubjectUserName">*******$</Data>
      <Data Name="SubjectDomainName">********</Data>
      <Data Name="SubjectLogonId">0x3e7</Data>
      <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
      <Data Name="AlgorithmName">RSA</Data>
      <Data Name="KeyName">TSSecKeySet1</Data>
      <Data Name="KeyType">%%2499</Data>
      <Data Name="Operation">%%2484</Data>
      <Data Name="ReturnCode">0xc000000d</Data>
    </EventData>
  </Event>

   
  Hi,
  The following methods could be used to resolve some of the most common problems.
  Potential issues that may be seen:
  1.) Remote Desktop endpoint is missing
  Each virtual machine that is created should have a remote desktop endpoint for the VM at port 3389. If this endpoint is deleted then a new endpoint must be created. The public port can be any available port number. The private port (the port on the VM) must
  be 3389.
  2.) RDP fails with error: "The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support."
  RDP connection may fail when there are cached credentials. Please see the following article to resolve this problem:
  http://www.c-sharpcorner.com/uploadfile/ae35ca/windows-azure-fixing-reconnect-remote-desktop-error-the-specified-user-name-does-not-exist-verif/
  3.) Failure to connect to uploaded VHD
  When a VHD is uploaded to Windows Azure you must make sure that Remote Desktop is enabled on the VHD and an apporopriate firewall rule is enabled on the VM to open port 3389 (Remote Desktop port).
  Hope this helps!
  Regards.
  Vivian Wang
  TechNet Community Support

• Windows event log monitoring

  We have Grid Control 10GR2 monitoring some Windows servers and the out-of-box config monitors both the System and Security event logs for warning and error conditions. If I want to keep this default config, but just filter out certain EventID's so they don't show up in Grid, is that possible?

  Hi,
  Did you try host metric--"Log File Pattern Matched Line Count" for this ?
  Metalink ID:735137.1 has some info..
  Pls chk out...
  Thanks...

• Methods for Remote Event Log Collection (WMI vs RPC vs WinRM)

  Hi,
  I'm currently evaluating several 3rd party tools (SIEMs) to help me with log management in a large (mostly) Windows domain environment. Each tool uses a different approach to collecting the event log from remote systems, and I'd like help understanding the
  pros and cons of each approach. I've dropped this in the scripting forum as the tools are essentially running different scripts and it's this part I would like to understand.
  WMI: An agent installed on a windows server connects to each monitored box and grabs their event logs via WMI. Our legacy SIEM already collects from over 2000 servers using this method.
  RPC: As above, but using RPC. No changes required on the remote machines.
  WinRM: An appliance integrates with AD and collects event logs remotely using WinRM. This is reasonably new to me (i'm a security guy, not a sys admin) but I seem to have to enable an additional remote management tool, and open a new listening port on every
  single machine I want to collect the event log from.
  I read the following blog entry, which seemed to indicate that RPC was the best choice for performance, considering I'm going to be making high frequency connections to over 2000 targets:
  http://blogs.technet.com/b/josebda/archive/2010/04/02/comparing-rpc-wmi-and-winrm-for-remote-server-management-with-powershell-v2.aspx 
  However, everything I have found on the subject of remote event collection seems to suggest that WinRM is the "approved" method for event log collection. The vendor using the WinRM approach is also suggesting that it is the only official MS supported
  way of doing this.
  So I would like to ask, is there a reason that WMI and RPC should not be used for this purpose, since they clearly work and don't require any changes to my environment? Is there some advantage to WinRM that justifies touching my entire estate and opening
  an additional port (increasing my attack surface)?
  Thanks in advance,

  Hi,
  I'm aware of the push method, and may indeed move to it in time, although I'm just as likely to install a 3rd party agent on the machines to perform this role with greater functionality and manageability for the same effort. I've only seen organisations
  using commercial agents (snare, splunk, etc) or WMI for log collection in practice, so I don't think I'm the only one with reservations about it.
  Anything that involves making configuration changes to a large and very varied estate is not something to do lightly. Particularly if alternatives exist that don't require this change to be carried out immediately. That is why I'm looking to properly understand
  the pros and cons of these "legacy" approaches for use as an interim solution if nothing more.
  Pulling probably is more resource intensive, although I've not seen an actual comparison, but it's not really that fragile in my experience. If a single pull fails, you just collect the logs you missed at the next pull cycle in a few seconds/minutes.
  All logs are pulled directly into a SIEM for analysis, so that part is covered.
  Anyway, I appreciate the input, but I'm still holding out for concrete reasons to move away from WMI/RPC or to embrace WinRM. Bear in mind I'm considering fixing something that doesn't look broken to me!
  Cheers,

• Event Log Replication on Cluster Server (MS Server 2003)

  Please help me about the EnableEventLogReplication on SERVER 2003. I just saw the recommended on MS support about it.
  "If the EnableEventLogReplication registry entry is set to 1, the cluster node replicates events in the event log to all other nodes in the cluster. Tools that monitor multiple
  servers, report a single event multiple times, one time from each node. "
  I have got the problem about event logs replicates and hard to summary event logs on all nodes. If I want to disable this function I would like to know the effect about this one. it will not replicates events and will not get any worse cases on the server
  that my customer using? Could you please advise?

  As you mentioned, if you disable EnableEventLogReplication, Event Log Replication will be disable for one or more node in the cluster or the entire cluster. One or more cluster node is down or has experienced a failure, and preventing Event Log Replication
  from taking place.
  Note: if you disable the replication at a specific node, replication of events from that node to other nodes is disabled. Other nodes that have the EnableEventLogReplication property turned on still replicate to that node. This only replicates the System,
  Application and Security event logs.
  http://support.microsoft.com/kb/229071/en-us
  http://support.microsoft.com/default.aspx?kbid=224969

• Event Log Reporting Time Span

  Having some connection problems, but can only see past one day in the Event Log. Get message "Limit of uservisible log" where in settings can I increase the report time to see past week or so, in Event Log ?

  It sounds like you have a home hub 3 with the latest firmware?
  You mean it looks like this - <<<<<<<<<<<<<<<<<<<< Limit of uservisible log >>>>>>>>>>>>>>>>>>>>
  I get the same. The hub event log used to give 3 full pages of events, now the maximum I get is 2 full pages and 7 events logged on the 3rd page (uses around ¼ of the page).
  You can't increase this, though if you have many events stored prior to the limit message, you could try switching the hub off to remove these older events or bite the bullet and factory reset the hub.
  -+-No longer a forum member-+-

• Battery drain and error in event log!!!

  So I recently got a curve 9360, but battery life wasn't the 1 and a half days I expected. Doesn't last more than 5 hrs on normal use, and it falls drastically when doing slightly heavy work like now, bridged to my PlayBook like now, it turns of radio at about 30% then blacks out in under 5 minutes. So i did some digging around and most people said it was the OS, so I downloaded the os that most people say fixed there curve's, got a response for 7.1.0.190 and 7.1.0.258, bug still no difference. Out of curiosity I checked my event long and found this error ,
  Name: System
  Severity: Error
  GUID: 97c9f5f641d25e5f
  Time: "the date and time shown"
  JVM:INFOp=mypin,a='7.1.0.190',o='9.6.0.24',h=e001507
  So when I changed the os to 7.1.0.190, still got the same error and it's always at the top of the event log so am guess its what's causing the battery drain. Changed batteries, and wiped the OS and reinstalled but no solution. 
  Any help people!

  Hi,
  The Certificate Chain you installed on the FE server did not have "Enable all purposes for this certificat" enabled.
  Run MMC--Add\Remove Snap-ins--certificates--Local Computer--Trusted Root Certificate Authorities--Certificates, find the certificate chain you installed--Properties--General, check the "Enable all purposes for this certificate".
  Restart Lync FE server and check the problem is solved.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2

  I got the following problem:
  I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
  Also, SQL Agent Service won't run
  The only change that day was security
  update KB2964444 - Security
  Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
  When I try to start Windows Event Log via net
  start eventlog or via Services
  panel, I get an error:
  C:\Users\Administrator>net start eventlog
  The Windows Event Log service is starting.
  The Windows Event Log service could not be started.
  A system error has occurred.
  System error 2 has occurred.
  The system cannot find the file specified.
  I tried:
  restarted the OS (virtual on the host's VMWare).
  re-checked the settings in services menu -they are like in the link.
  checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
  the identity is NT
  AUTHORITY\LocalService
  gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
  ran fc /scannow - Windows Resource Protection did not find any integrity violations.
  went to the file %windir%\logs\cbs\cbs.log -
  all clean, [SR] Repairing 0 components
  EDIT: Uninstalled the recent system updates and rebooted - didn't help
  EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
  filters:
  process name is svchost.exe : include
  operation contains TCP : exclude
  the events captured are:
  21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
  21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
  21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
  21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
  21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
  21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
  21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
  21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
  21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
  21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
  21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
  NOTE: previoulsy, for
  21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  I also got NAME
  NOT FOUND error ,so I created the new string value for the Parameters with
  the name ServiceDll and
  data %SystemRoot%\System32\wevtsvc.dll (copied
  from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
  and this event now is
  21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  I also checked for the presence of wevtsvc.dll in
  the place and it's there.
  Also, I tried to capture all events with path containing 'event' and
  got following events firing every several seconds:
  21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
  21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
  21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
  Also, I tried to capture all the events containing 'file',
  excluding w3wp.exe,
  chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
  the event logger (if run from cmd - there are several hits by net executable,
  not present if run from the panel).
  What can be done?

  Hi,
  I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
  The related KB:
  MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
  SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
  http://support.microsoft.com/kb/2961851/en-us
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How can I turn off Event ID 5156 AND 5145 in the Security Event Log?

  Hi,
  I have a high volume web service.   Everytime there is a connection from the outside, it logs this in my security event log.
  I want to turn this off.
  How can I stop the logging of event id 5156 on the web server and 5145 on the file server?
  Thanks!
  Dane!

  Hi,
  Thanks for posting in Microsoft TechNet forums.
  The problem can be related to Audit settings. Please check the following threads to see if the information can be useful during the troubleshooting:
  auditing file share on windows 2008 R2
  http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9e633bad-cda6-4ec4-8f04-c01de57ce767
  Event ID 5156 filling up event logs. Probably due to anti-virus software (SEP 11)
  http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/8044fb62-f5ea-45b5-b717-3f6592af77e0
  Regards
  Kevin
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback
  on our support quality, please send your feedback here.

• Allow Non-Administrator accounts to create event sources and write to event logs

  We are setting up BizTalk 2013 in Windows Server 2012 and one of the requirements is to allow the service account to create sources and write in event logs (Application) of the BizTalk servers. We have found what it seems to be a simple solution for this
  without giving service accounts local admin rights.
  Give Full control for the following registry keys to the service accounts or groups to allow creating of event sources and write to event logs:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
  Note: when changing permissions for EventLog key, the child keys will inherit the permissions by default except Security key which must be done manually.
  Initial tests using a .net test app seems to work as expected. New event sources are being created in the event logs and writing to the event logs after that works perfectly.
  The above method has been deployed in production and this is the most suitable solution for us.

  Hi Keong6806,
  Thanks a lot for posting and sharing here.
  Do you have any other questions regarding this topic? If not I would change the type as 'Discussion' then.
  Best Regards,
  Elaine
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]