Windows Event Viewer logs various system activities, and understanding critical Event IDs helps in troubleshooting, security monitoring, and performance optimization. Here are the key Event IDs every Windows Server administrator should know:
1. System and Performance Monitoring
6005 – Event Log service started (useful for tracking server reboots).
6006 – Event Log service stopped (indicates shutdown).
6008 – Unexpected shutdown (crash or power failure).
1074 – Indicates a clean shutdown or restart (initiated by a user or system).
41 – Kernel-Power (indicates an improper shutdown, such as power loss).
2. Security & Login Events (Requires Audit Logging Enabled)
4624 – Successful login (who logged in and from where).
4625 – Failed login attempt (can indicate brute-force attacks).
4648 – Logon using explicit credentials (e.g., runas command).
4776 – NTLM authentication attempt (failed or successful).
4672 – Special privileges assigned to a user (admin login or privilege escalation).
4720 – created a new user account.
4722 – enabled a user account.
4725 – disabled a user account.
4728 – added a user to a security group.
4732 – added a user to a domain local group.
4740 – User account locked out (important for security monitoring).
3. Active Directory & Group Policy Events
5136 – modified a directory service object (changes in Active Directory).
5137 – created a directory service object.
5138 – A directory service object was undeleted.
5139 – moved a directory service object.
5141 – deleted a directory service object.
4670 – changed permissions on an object (GPO or file system).
4702 – updated a scheduled task.
4. Network & Firewall Events
5156 – Allowed network connection (indicates successful inbound/outbound connections).
5157 – Blocked network connection (could indicate a firewall policy issue).
5031 – Windows Firewall blocked an application.
5. Disk & Storage Events
50 – NTFS delayed write failure (could indicate disk issues).
51 – Disk error detected (potential hardware failure).
55 – File system corruption detected.
57 – NTFS warning (I/O errors detected).
140 – Storage stack detected a failure.
6. Application & Service Errors
1000 – Application crash (includes application name and faulting module).
7031 – A critical Windows service terminated unexpectedly (could cause downtime).
7036 – A Windows service changed state (started or stopped).
10016 – DCOM permission issues (common with remote service access).
7. RDP & Remote Access Logs
1149 – Successful Remote Desktop login.
1028 – RDP session reconnected.
1029 – RDP session disconnected.
4625 – Failed RDP login attempt (important for tracking unauthorized access).
Implement SIEM tools (e.g., Splunk, Microsoft Sentinel) for centralized logging.
Monitoring these Event IDs helps prevent security breaches, detect system failures early, and ensure smooth server operations.