To create event log server

Hi,
I want to create a event log server at my data center, I mean, I want to collect the event logs from all my servers and manage the logs centrally, please guide me the steps for this.
Swaprakash..

Hi,
I want to create a event log server at my data center, I mean, I want to collect the event logs from all my servers and manage the logs centrally, please guide me the steps for this.
Swaprakash..
If your Enterprise uses SCOM for monitoring, you can easily
configure and deploy Audit Collection Reporting (ACS) to pull events from servers based on specific criteria.
You can also manually configure event forwarding/subscriptions. Here's a
link on how.
Only when the above two options are impossible will I start to look at a scripting solution, using
Get-Eventlog or
Get-WinEvent cmdlets.

Similar Messages

Event Log / ServiceNow

Greetings,
Recently the company started using the ServiceNow application for tracking IT incidents and request. A new process in xMII BLS 14 is being requested that should create incidents in ServiceNow as they occur.
The current process to make this happen is for the application to put an entry into the event log and then have MS System Center Operation Manager populate the ServiceNow Incident. I know this sounds round about but it is what it is...
Can xMII BLS 14 create event log entries and if so, HOW?
Thank you,
Dennis W

If your talking about service.now It looks like they do have some web services available for integration.
SOAP Web Service - ServiceNow Wiki
Regards,
Christian

Creating a Custom Event Log View Shortcut on a server desktop for an admin

Good morning,
We have a new admin starting and I would like to create custom event log view shortcut on there desktop for each server they need to check. Is there a way to do this in Server 2012 and Server 2008?
I have figured out how to create a shortcut of the Application and System log, but not Custom Views. Thanks.

Hi,
Based on my research, you can create a custom view like
this.However, I tried miltiple ways to create a shortcut of the custom view of the event viewer and no result. I can only create a shortcut of the event viewer. You may need a script can achieve that.
Best regards,
Susie

How to write to windows event logs from determinations-server under IIS

This is just an FYI technical bit of information I wish someone had shared with me before I started trying to write OPA errors to the windows event log... Most problems writing to the windows event log from log4net occur because of permissions. Some problems are because determinations-server does not have permissions to create some registry entries. Some problems cannot be resolved unless specific registry entry permissions are actually changed. We had very little consistency with the needed changes across our servers, but some combination of the following would always get the logging to the windows event log working.
To see log4net errors as log4net attempts to utilize the windows event log, temporarily add the following to the web.config:
<appSettings>

<add key="log4net.Internal.Debug" value="true"/>
</appSettings>
<system.diagnostics>
<trace autoflush="true">
<listeners>
<add
name="textWriterTraceListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="logs/InfoDSLog.txt" />
</listeners>
</trace>
</system.diagnostics>
To add an appender for the windows event viewer, try the following in the log4net.xml:
<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >
<param name="ApplicationName" value="OPA" />
<param name="LogName" value="OPA" />
<param name="Threshold" value="all" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
<filter type="log4net.Filter.LevelRangeFilter">
<levelMin value="WARN" />
<levelMax value="FATAL" />
</filter>
</appender>
<root>
<level value="warn"/>
<appender-ref ref="EventLogAppender"/>
</root>
To put the OPA logs under the Application Event Log group, try this:
Create an event source under the Application event log in Registry Editor. To do this, follow these steps:
1.     Click Start, and then click Run.
2.     In the Open text box, type regedit.
3.     Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
4.     Right-click the Application subkey, point to New, and then click Key.
5.     Type OPA for the key name.
6.     Close Registry Editor.
To put the OPA logs under a custom OPA Event Log group (as in the demo appender above), try this:
Create an event log in Registry Editor. To do this, follow these steps:
1.     Click Start, and then click Run.
2.     In the Open text box, type regedit.
3.     Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4.     Right-click the eventlog subkey, point to New, and then click Key.
5.     Type OPA for the key name.
6.     Right-click the new OPA key and add a new DWORD called "MaxSize" and set it to "1400000" which is about 20 Meg in order to keep the log file from getting too large.
7.     The next steps either help or sometimes cause an error, but you can try these next few steps... If you get an error about a source already existing, then you can delete the key.
8.     Right-click the OPA subkey, point to New, and then click Key.
9.     Type OPA for the key name.
10.     Close Registry Editor.
You might need to change permissions so OPA can write to the event log in Registry Editor. If you get permission errors, try following these steps:
1.     Click Start, and then click Run.
2.     In the Open text box, type regedit.
3.     Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4.     Right-click the EventLog key, select Permissions.
5.     In the dialog that pops up, click Add...
6.     Click Advanced...
7.     Click Locations... and select the current machine by name.
8.     Click Find Now
9.     Select both the Network user and IIS_IUSERS user and click OK and OK again. (We never did figure out which of those two users was the one that fixed our permission problem.)
10.     Change the Network user to have Full Control
11.     Click Apply and OK
To verify OPA Logging to the windows event logs from Determinations-Server:
Go to the IIS determinations-server application within Server Manager.
Under Manage Application -> Browse Application click the http link to pull up the local "Available Services" web page that show the wsdl endpoints.
Select the /determinations-server/server/soap.asmx?wsdl link
Go to the URL and remove the "?wsdl" from the end of the url and refresh. This will throw the following error into the logs:
ERROR Oracle.Determinations.Server.DSServlet [(null)] - Invalid get request: /determinations-server/server/soap.asmx
That error should show up in the windows event log, OR you can get a message explaining why security stopped you in "logs/InfoDSLog.txt" if you used the web.config settings from above.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
Edited by: Paul Fowler on Feb 21, 2013 9:45 AM

Thanks for sharing this information Paul.

Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2

I got the following problem:
I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
Also, SQL Agent Service won't run
The only change that day was security
update KB2964444 - Security
Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
When I try to start Windows Event Log via net
start eventlog or via Services
panel, I get an error:
C:\Users\Administrator>net start eventlog
The Windows Event Log service is starting.
The Windows Event Log service could not be started.
A system error has occurred.
System error 2 has occurred.
The system cannot find the file specified.
I tried:
restarted the OS (virtual on the host's VMWare).
re-checked the settings in services menu -they are like in the link.
checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
the identity is NT
AUTHORITY\LocalService
gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
ran fc /scannow - Windows Resource Protection did not find any integrity violations.
went to the file %windir%\logs\cbs\cbs.log -
all clean, [SR] Repairing 0 components
EDIT: Uninstalled the recent system updates and rebooted - didn't help
EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
filters:
process name is svchost.exe : include
operation contains TCP : exclude
the events captured are:
21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
NOTE: previoulsy, for
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also got NAME
NOT FOUND error ,so I created the new string value for the Parameters with
the name ServiceDll and
data %SystemRoot%\System32\wevtsvc.dll (copied
from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
and this event now is
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also checked for the presence of wevtsvc.dll in
the place and it's there.
Also, I tried to capture all events with path containing 'event' and
got following events firing every several seconds:
21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
Also, I tried to capture all the events containing 'file',
excluding w3wp.exe,
chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
the event logger (if run from cmd - there are several hits by net executable,
not present if run from the panel).
What can be done?

Hi,
I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
The related KB:
MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
http://support.microsoft.com/kb/2961851/en-us
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Allow Non-Administrator accounts to create event sources and write to event logs

We are setting up BizTalk 2013 in Windows Server 2012 and one of the requirements is to allow the service account to create sources and write in event logs (Application) of the BizTalk servers. We have found what it seems to be a simple solution for this
without giving service accounts local admin rights.
Give Full control for the following registry keys to the service accounts or groups to allow creating of event sources and write to event logs:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
Note: when changing permissions for EventLog key, the child keys will inherit the permissions by default except Security key which must be done manually.
Initial tests using a .net test app seems to work as expected. New event sources are being created in the event logs and writing to the event logs after that works perfectly.
The above method has been deployed in production and this is the most suitable solution for us.

Hi Keong6806,
Thanks a lot for posting and sharing here.
Do you have any other questions regarding this topic? If not I would change the type as 'Discussion' then.
Best Regards,
Elaine
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Event log is not working in Multiform server

Hi ,
We are trying to implement event logging in our application. We have created separate event source for our application. When we testing this our local dev machine it is working without any problem. when I try to test the same in higher environment (QA, Pre-prod)
it is not working. The QA environment is a multi form server. We are able to see the event source in the event viewer, but the logging is not happening. We have tried restarting IIS, restarting the services.
Any suggestion or guidance will be highly appreciated.
Thanks in Advance

Hi GHPMS,
>>We are trying to implement event logging in our application
Do you mean this code as below?
string sSource;
string sLog;
string sEvent;
sSource = "dotNET Sample App";
sLog = "Application";
sEvent = "Sample Event";
if (!EventLog.SourceExists(sSource))
EventLog.CreateEventSource(sSource, sLog);
EventLog.WriteEntry(sSource, sEvent);
EventLog.WriteEntry(sSource, sEvent,
EventLogEntryType.Warning, 234);
Like in following screenshot
>>We are able to see the event source in the event viewer, but the logging is not happening.
Maybe, you also need to check if the
eventlog exist method before you try to crate it new.
You might need check on what account the service is running under, which may make a difference on multi form server and up since they are more stringent on account rights on those environment.
Best regards,
Kristin
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

DFSN-Server ID 516 Flooding Event Log

Good Day,
Since setting up a Server 2012 server as a DFS root the Administrative Events log is getting flooded with DFSN-Server ID 516 warning events. We have multiple name spaces and we get a message for each every 15 minutes, so for our 6 name spaces
that is over 500 messages a day.
DFSN service has started performing complete refresh of metadata for namespace <DFS-Root>. This task can take time if the namespace has large number of folders and may delay namespace administration operations.
Although I found one solution on the Russian Technet forum DFSN-Server EventID 516 this disables the entire DFSN-Server
Admin log, so if there are any problems with the refresh they will not appear.
The main cause of the problem appears to be that the 516 Events have a Warning level 3 for something that should be Information level 4. There is no reason for a warning to be issued for what is a regular update process.
Thanks,
James

What bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...
Thank you Microsoft (sarcasm).
If you look directly at the log, you'll see this message is quickly followed by ID 517 which states it has completed the refresh. Event 517 is an informational event, so it won't display in the default "Administrative Events" filter.
My suggestion to Microsoft: Change the severity on ID 516 to Informational. I don't believe
anyone would consider this routine refresh a warning-level concern!!
yes, you are right. sorry for super late reply, but I was swamped in company move and server upgrades, new installations, new IP phone system, new IP cams, site-to-site VPN, new faster firewall for new faster Internet link, NAT config changes ... man ...
a bit too much for a single person to manage sometimes ...
anyways, I didn't see the 517 events in "Custom Views - Administrative Events" that's why I was alerted with a flood of 516 (there is 1 every 12 minutes), can't understand why MS would drop one informational event (categorized wrongly as warning)
and not add the other one stating it was completed right after (because it's still informational only) ... I finally found the following 517's when I went to the tree of Apps and Services Logs - MS - Win - DFSN-Server - Admin ... it's kinda buried down there
very annoying it still is in end of October, especially then I am troubleshooting a non-replication conditions without any errors between two DFS servers (also DC roles installed) running 2012R2. Ended up removing DFS from secondary DC (VM actually) and
building a new DFS dedicated VM with fixed sized disks on Hyper-V 2012 R2 server, hoping it resolves the issue when replication would just stop without error creating a huge file count (and content!) mismatch over time... a flood of meaningless events in administrative
logs in not helping with troubleshooting ...

Print document's name in Event Log ID #307 on Server 2012

Creating a new printer server using Windows Server 2012. Everything is working out fine so far, however I just ran into one problem that didn't happen in our Server 2008R2 print server.
When looking at print jobs that have completed under: event logs --> Microsoft --> Windows --> PrintService --Operational, I have noticed that Event ID 307 is not displaying the printed document's name in Server 2012 (it did for Server 2008R2).
In Server 2012, the document name simply displays as "Print Document" instead of displaying the document's name.
Anyone have any ideas on how to get the document's name to properly display in the event logs?
Thanks for any help.

Hi Alan,
I have configured a Server 2012 R2 standard as print server to manage printers and Monitor the print usage of users, however I am not getting the Print logs (Event Log ID 307) in the default event logs directory on the print Server.
I perform some search and come to know that it’s a known problem in Server 2012 and there is Hotfix available. I installed the Hotfix mentioned here
http://support2.microsoft.com/kb/2938013/en-us , but still logs are not getting generated.
I also made the below setting for the logs.
Creating Registry entry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Printers] "ShowJobTitleInEventLogs"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers] "ShowJobTitleInEventLogs"=dword:00000001
The policy name: Computer Configuration \ Administrative Templates \ Printers
Allow job name in event logs
Keep printed Docs setting is also enabled on all the printers installed on Print Server.
Noting seems to be working here or am i doing something wrong here.
Regards
Mukesh

SQL Server monitoring error event log 4001

hello Experts ,
We have SCOM 2012 R2 environment ,I have installed SQL SERVER MPs 6.5.0.1 and installed SCOM agent on some of SQL Server. Some of the SQL Server are monitoring working properly not all SQL Server but getting error for some of SQL Server in event log
Event :4001
Management Group: SCOMMgtGroup. Script: Main Module: CPUUsagePercentDataSource.ps1 :
Computer Name = 'MHSSCOM01.memnet.org' WMI = 'ComputerManagement11' Service Name = 'MSSQLSERVER' SQL Instance Name = 'MSSQLSERVER'
Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."Error occured during CPU Usage for SQL Instances data source executing.
Computer:MHSSCOM01
Reason: Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."
also not getting Database information within the SQL Server instances for these SQL Server within "Instances Summary "
for resolution ,I have created a Run as account (windows)for SQL monitoring then associated it with Run as profile with SQL Server default account,Discovery account and Monitoring account and distribute it securely to each SQL Server health service object
.The run as account have added to local admin group on each SQL server.
How to resolved the event log error and how to get database information for all instances of sql server.
Thanks
RICHA

Hi,
It seems like that the action account that run the script does not have enough permissions on the monitored SQL server, I would like to suggest you follow the below link to check your runas account configuration:
http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
And make sure the action account also have SQL admin account to the SQL server.
Here is also a link that may be helpful for you:
http://blogs.technet.com/b/momteam/archive/2014/05/12/kb-event-4001-in-the-operations-manager-log-during-sql-server-2012-monitoring.aspx
Regards,
Yan Li
Regards, Yan Li

Custom event log is not working in SharePoint server

Hi ,
We are trying to implement event logging in our application. We have created separate event source for our application. When we testing this our local dev machine it is working without any problem. when I try to test the same in higher environment (QA, Pre-prod)
it is not working. The QA environment is a multi form server. We are able to see the event source in the event viewer, but the logging is not happening. We have tried restarting IIS, restarting the services.
Any suggestion or guidance will be highly appreciated.
Thanks in Advance

Logging should use the SharePoint Unified Logging Services (ULS) infrastructure.
Logging to the Event Viewer requires ADMIN PERMISSION... which is why it works fine in DEV, and not in TEST/PROD.
DO NOT LOG TO THE EVENT VIEWER... OR USE ANY OTHER HOME GROWN CONCOCTION... USE THE LOGGING FRAMEWORK PROVIDED BY THE PLATFORM.
This may help: http://www.sbrickey.com/Tech/Blog/Post/Custom_Logging_in_SharePoint_2010
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs

Essential event viewer bugs with "Forwarded Events" log in Windows Server 2008 R2 and Windows 7

To my general experience, Windows event viewer is one of the most problematic, faulty management tools in the case of extensive use of its more sophisticated capabilities. The sole description as well as reproduction of some entangled failures would require
remarkable effort.
With the "Forwarded Events" log however, the situation becomes particularly worse in that even simple functionality fails and workarounds are difficult to find. That’s what I’ll describe here in order to share my experience with interested users.
For precision: I’ve extensively used event viewer on a German Windows Server 2008 R2 SP1 (Windows SBS 2011 Standard SP1). The bugs I found on that system, I could reproduce on a German Windows 7 Professional 64-Bit SP1, too.
Problem 1: Failure of even simple event filtering
To reproduce this problem, execute these steps on a test machine with any of the two OS mentioned above:
(i) To prepare log contents, do either of the following:
(a) populate some events to your local "Forwarded Events" log (most simply by subscribing events from other logs of the same machine; stop subscription if you have collected some events)
Or
(b) copy a non-empty log file "ForwardedEvents.evtx" from another machine (with any of the two OS mentioned above) to your test machine and open the file in event viewer.
(ii) Navigate to your "Forwarded Events" test log and open the filtering dialog. In the "Includes/Excludes Event IDs" field, type: 1-9000. Click OK.
(iii) Look at the results pane: Surprise, 0 Events! Do you really have no event IDs between 1 and 9000 in your test log?
(iv) Another example, if you have forwarded security events in your test log: Clear filter, if any previous filter is in place. Open the filtering dialog. In "Keywords" sub-dialog, choose "Audit Success". Click OK.
(v) Look at the results pane: Surprise, 0 Events! Do you really have no successful security monitoring events in your test log?
I’ll finish here. If you have a rich variety of events in your test log available, let your imagination run wild to test around. Finally include some simple manually created or modified XPath filters on the XML tab of the filtering dialog. I promise, you’ll
find a lot of additional strange results.
Problem 2: Cannot save manually selected events to .evtx file
Navigate to your "Forwarded Events" test log. In the results pane, select one or more events by highlighting them by mouse clicks. In context menu, choose "Save selected events". In the "save as" dialog, choose file type *.evtx
and save your file. Open the newly created file in event viewer. Result: Surprise, no events inside the new file!
Have more fun with forwarded events
Helmut

Did you mean that right click Forwarded Event and select "Filter Current Log..."? Since I can filter correct event vai the "Filter Current Log..." in my Lab environment.
Hi Justin,
yes, I mean "Filter Current Log ... " (in my German systems: "Aktuelles Protokoll filtern ... ").
What do you mean with "my Lab environment" exactly?
In the meantime, I performed additional tests. I copied the "ForwardedEvents.evtx" test file from Server 2008 R2 resp. Windows 7 to
(i) German Windows 8 Pro 64-Bit RTM
(ii) German Windows 8.1 Pro 64-Bit, up-to-date
in order to view and filter the file there.
Results: Same event viewer problem on Windows 8 RTM, but correct behavior on Windows 8.1!
Best regards, Helmut

Event logs fails to start on Exchange Server 2010

My Exchange server 2010 R2 SP1 Enterprise single server is down. All exchange services fail to start. It appears like the Microsoft Exchange Active Directory Topology service isn't starting which is a dependency for all other services.
The error I get when trying to start this service is:
Windows could not start the Microsoft Exchange Active Directory Topology on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code
-2147024882
To make matters worse, the event viewer is not starting either.
When trying to start the Windows Event Log, I get the error:
Windows could not start the Windows Event Log service on Local Computer. Displays Error code 5
This is running on a Windows Server 2008 R2 SP1 Standard box.
Any assistance is appreciated.

When trying to start the Windows Event Log, I get the error:
Windows could not start the Windows Event Log service on Local Computer. Displays Error code 5
Hi,
Based on this error, this problem happens if any of the following conditions are true:
The built-in security group EventLog does not have permissions on the folder %SystemRoot%\System32\winevt\Logs
The Local Service account does not have default permissions on the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability
To solve this problem, we need to restore the default permissions in the list below on %SystemRoot%\System32\winevt\logs.
Authenticated user - List folder/read data, Read attributes, Read Extended attributes, Read permissions
Administrators - Full control
SYSTEM - Full control
EventLog - Full control
Please try the following methods:
Method 1
To restore the default permissions on folder %SystemRoot%\System32\winevt\logs, follow these steps.
Right-click on %SystemRoot%\System32\winevt\logs and select Properties.
Select the Security tab.
Click Edit button and click the Add button in the permissions dialog box.
In Select users, computers, or Groups dialog box ensure that under object types Built in Security Principals and the location as local computer name is selected.
Enter the object name as "NT SERVICE\EventLog" without quotes. And click OK. This group should have full control on the folder.
Once EventLog group is added add the rest of the groups with above mentioned permissions.
Method 2
Identify a Windows Server 2008 machine with default permissions.
Click Start, and then type cmd in the Start Search box.
In the search results list, right-click Command Prompt, and then click Run as Administrator.
When you are prompted by User Account Control, click Continue.
Type the command CD %SystemRoot%\SYSTEM32.
Once the working directory is changed to %SystemRoot%\SYSTEM32 type the command icacls winevt\* /save acl /T.
This will save a file named ACL in %SystemRoot%\SYSTEM32. Copy this file to the C: drive on the problem computer.
On the problem computer, open command prompt with administrator privileges (refer to previous steps 1-3).
Change the working directory to %SystemRoot%\SYSTEM32.
Execute the command icacls winevt\ /restore acl.
Default permissions on the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability should be:
CREATOR OWNER - Full control
SYSTEM - Full control
LOCAL SERVICE - Query Value, Set Value, Create Subkey, Notify and Delete
Administrators - Full control
Users - Read
To set the permission on this registry key:
Click the Start menu, select Run and type Regedit.
Go to the location HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability.
From the Edit menu click Permissions.
Add the permissions for the accounts as listed above.
In addition, Exchange 2010 SP1 and SP2 are end of support.
https://support.microsoft.com/en-us/lifecycle/search/default.aspx?alpha=exchange%20server%202010&Filter=FilterNO
Best Regards.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Lynn-Li
TechNet Community Support

No event logs when RAID fails in Server 2008 and R2

From what I'm finding out (by web searching) they forgot to include event logging in Server 2008 for when a Windows software RAID fails in some way such as missing disk, failed redundancy, etc. This is REALLY annoying as I was trying to setup email notifications
for when this happens so I can fix it. I'm just using this on my servers at home, so I'm not big on the idea of spending a lot of money on a hardware RAID, it just does some simple network file sharing and streaming and software RAID is fine. Is there anyway
to get this to work properly, like it used to?! Hotfix? Sacrifice a small animal? Free third-party tools that would work if nothing else? Would a MOM server be able to notify me? (been considering setting up one of those and SCCM to mess with)

Thanks guys for chiming in. The only way Microsoft will know this is a big deal (you would think they would, but apparently not), is for people to complain. I found this out myself when I was trying to set up event triggered tasks to email on low disk space
and RAID failure, only to find no events are created on RAID failures!
I have setup a SCOM 2007 R2 server in my testing environment. It registers and alerts me for low disk space just fine, but the availability monitor is not tripped when I break a RAID volume. I have tried offlining a disk, which results in failed redundancy,
and also shutting down the VM and removing a drive, and neither seems to trip an alert. Do I have to do something to get it to monitor correctly?

Task Scheduler doesn't work for restarting the server but event log says successful.

Hi All,
I have created a scheduler task to run every weekend to restart the Windows Server 2008 R2 Standard(64 Bit OS). The task everything has been successfully created. I check manually if it actually restarts but it doesn't but on the event
logs of the Task Scheduler it says restarted successfully and returns status code 0. But it doesn't seem to work.
Thanks in advance.

Hi Prasad Venkatesan,
Can you tell more detailed information about how do you set this scheduled task?
To create a scheduler of restarting at specific time, please also try these steps:
Press WinKey+R > type taskschd.msc and press Enter (it will launch Task Scheduler)
Left click from the right pane on the Task Scheduler Library > open Action from the top menu > New Folder... > name it MyTasks
> click OK
Left click on the MyTasks > choose Action from menu > Create Basic Task... (it will open task wizard)
You can enter the Name , for example "Restart", and press Next
In Trigger section you can specify when you want to run your task, for example:
Select Daily , and press Next
Now you can specify the day, the hour and set to recur every day, after that press Next
In Action section you can choose what you want to run, for example restart your system, to do this:
choose Start a program , and press Next
in the Program/script field type shutdown /r , and press Next
please press Finish
Then check if it can work.
Best Regards,
Anna

To create event log server

Similar Messages

Maybe you are looking for