arrow
Características
Features
Característiques
Ventajas Advantages Avantatges Funcionalidades Functionalities Funcionalitats Infraestructura Infrastructure Infraestructura API API API Imágenes Images Imatges
arrow
Nosotros
About us
Nosaltres
Más sobre Clouding More about Clouding Més sobre Clouding Contacto Contact Contacte Blog Blog Blog
arrow
Soporte
Support
Suport
Soporte Clouding.io Clouding.io Support Suport Clouding.io Cloud Pros Cloud Pros Cloud Pros Base de conocimiento Knowledge Base Base de coneixement
Contacto Contact Contacte FAQ FAQ FAQ Iniciar Sesión Login Iniciar Sessió
language icon Catalán Catalan Català language icon Español Spanish Espanyol language icon Inglés English Anglès
arrow
Características
Features
Característiques
Ventajas Advantages Avantatges Funcionalidades Functionalities Funcionalitats Infraestructura Infrastructure Infraestructura API API API Imágenes Images Imatges
arrow
Nosotros
About us
Nosaltres
Más sobre Clouding More about Clouding Més sobre Clouding Contacto Contact Contacte Blog Blog Blog
arrow
Soporte
Support
Suport
Soporte Clouding.io Clouding.io Support Suport Clouding.io Cloud Pros Cloud Pros Cloud Pros Base de conocimiento Knowledge Base Base de coneixement
Contacto Contact Contacte FAQ FAQ FAQ Iniciar Sesión Login Iniciar Sessió
language icon Catalán Catalan Català language icon Español Spanish Espanyol language icon Inglés English Anglès

Articles in this section

See more
banner banner banner

How to Check Logs in Windows with Event Viewer

Jesús Camacho
  • Updated

The Windows Event Viewer is unknown to many, but for those of us who know it, it can sometimes be very helpful in identifying problems on Windows servers.

Event Viewer allows us to track certain activities on our server, from simple informational notifications to significant errors logged. Everything that happens on the server is recorded in the Event Viewer, which we can later review to see if there were any issues.

This way, we can determine if the server was restarted, if it was shut down from the server itself and by which user, or even review access attempts with a specific user account.

Starting Event Viewer

We will connect to our server via RDP and once logged in click on Start and in the search field, type Event Viewer.

Alternatively, you can press the Windows Key + R, type eventvwr in the dialog box that appears, and click OK.

Both actions should open the Event Viewer:

Types of Logs in Windows

Once you've opened it, you'll see a side menu with four folders. The folder we are most interested in is Windows Logs. If we expand it, we'll see five more categories:

  • Application: Includes events generated by applications or programs running on the Windows server.
  • Security: These events are related to security tasks, such as logon attempts, and creating, editing, or deleting files, among others.
  • Setup: This log records all events related to the installation of applications or software on the Windows server.
  • System: Here we will find events associated with the components of the Windows server.
  • Forwarded Events: This group contains events collected from remote computers.

Additionally, within each Windows log, you will see different types of notices, which can be identified as follows:

  • Error: Refers to a problem within the server, either at the software or hardware level.
  • Warning: A sign that something is not working as it should, although it is not a critical system issue. It indicates that something needs to be fixed.
  • Information: This message indicates that an application is functioning as expected.

Reviewing a Specific Case

Let's use an example to review the Windows logs. In this case, we will check for failed login attempts with a user other than "administrator." To do this, we need to check the Security log.

If we go to Windows Logs > Security we can search through the available events. You will notice that most of them have an Event ID of 4625, which means a user tried to log in, but either the username does not exist or the password was incorrect:

If we look at the image below, we can see that by selecting an event, the following text appears:

  An account failed to log on.
  Security ID:            NULL SID
  Account Name:           cloudingtutos
  Account Domain:
  
  Failure Information:
  Failure Reason:         Unknown user name or bad password.
  Status:                 0xC000006D
  Sub Status:             0xC0000064

We attempted to access the server with the user cloudingtutos, which does not exist on the system, and this is the error we get.

Important Event IDs to Know

Below are some important event IDs and their meanings:

EVENT ID MEANING EVENT ID MEANING
4624 An account was successfully logged on. 4801 The workstation was unlocked.
4625 An account failed to log on. 513 Windows is shutting down.
552 A logon attempt was made using explicit credentials. 4616 The system time was changed.
529 Unknown user name or bad password. 5024 The Windows Firewall service has started successfully.
532 The account has expired. 5025 The Windows Firewall service has been stopped.
4800 The workstation was locked. 602 A task has been created.

Checking Who Restarted the Server

To see who or what restarted your server, we can check the Windows Logs > System log. Right-click on it and select Filter Current Log...

There, under Event sources, check the User32 option and, in the box to include Event IDs, add 1074:

Click OK, and it will filter for system restarts. Click on the first event—or the event corresponding to the time you need to check—and you can see that the server was restarted by the Administrator user:

If no user-initiated restarts appear, you can check for a system problem by filtering for Event ID 6008:

And after filtering for 6008, you will see events with an Error level, which indicate that the system shut down or restarted unexpectedly due to a problem.

banner banner banner

Related articles