6006: The Event Log service was stopped. Navigate to the System Log under Windows, we then want to use Filter Current Log to allow us to only show Events with certain attributes (such as Source or IDs). Quickly specify and automatically send events from workstations and servers, export event data from Windows servers and workstations, and specify events to forward by source, type ID, and keywords. To download the Admin log… On the affected Windows system (this could be either the client or server), open Event Viewer by pressing Windows key + R, then type eventvwr.msc and hit the enter key. Start by going into Event Viewer (Windows+R or the Start Menu and type eventvwr.msc). Original product version: Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 Original KB number: 260729. 6005: The Event Log service was started. Performance & Maintenance Read Shutdown Logs in Event Viewer in Windows in Tutorials How to Read Shutdown and Restart Event Logs in Windows You can use Event Viewer to view the date, time, and user details of all shutdown events caused by a shut down (power off) or restart. Expand Applications and Services, then Microsoft, Windows, and PrintService. Forwarding Logs to a Server Since the first server operating system from Microsoft, the Windows system has used the Event Log program to record and view log entries from at least three sources: System, Security, and Applications. Events are placed in different categories, each of which is related to a log that Windows keeps on events regarding that category. Indicates the system startup. Go to C:\Windows\System32\winevt\logs folder and Right Click on system and application event --> Click on properties --> Uncheck Read only option--> click on Apply and Ok. 2. Step 1 -Hover mouse over bottom left corner of desktop to make the Start button appear Step 2 -Right click on the Start button and select Control Panel → System Security and double-click Administrative Tools Step 3 -Double-click Event Viewer Step 4 -Select the type of logs that you wish to review (ex: Application, System, etc.) Windows event log is a record of a computer's alerts and notifications. This article introduces how to enable schannel event logging in Windows and Windows Server. All the events stored back to the eventvwr console automatically. Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause. 3. Open Filter Security Event Log and to track user logon session, set filter Security Event Log for the following Event ID’s: • Logon – 4624 (An account was successfully logged on) • Logoff – 4647 (User initiated logoff) • Startup – 6005 (The Event log service was started) In fact, it isn’t difficult to code your own log that will be placed in the same view. 6008 Launching the Event Viewer. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." Without keeping track of logs, you can miss important issues in your IT environment, and you won’t be able to troubleshoot problems as quickly. To launch the Event Viewer, just hit Start, type “Event Viewer” into the search box, and then click the result. The log entries are also sent to the Windows application event log. SQL Server operations like backup and restore, query timeouts, or slow I/Os are therefore easy to find from Windows application event log, while security-related messages like failed login attempts are captured in Windows security event log. How to check event logs in Windows Server 2012? Looking at the server event log is a critical part of taking care of your Windows servers and your network as a whole. Start the windows eventlog service now and it will run fine with out any issues. Summary Indicates the proper system shutdown. The Windows Event Logs. Event Log Forwarder Forward Windows events to your syslog server to take further action. In our case, we want to filter on Event Source: USER32. Right-click on the Admin log and click Save All Events As.

