The event log contains the following standard logs as well as custom logs:
|Application||Contains events logged by applications. For example, a database application might record a file error. The application developer decides which events to record.|
|Security||Contains events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening, or deleting files or other objects. An administrator can start auditing to record events in the security log.|
|System||Contains events logged by system components, such as the failure of a driver or other system component to load during startup.|
|CustomLog||Contains events logged by applications that create a custom log. Using a custom log enables an application to control the size of the log or attach ACLs for security purposes without affecting other applications.|
The event logging service uses the information stored in the Eventlog registry key. The Eventlog key contains several subkeys, called logs. Each log contains information that the event logging service uses to locate resources when an application writes to and reads from the event log.
The structure of the Eventlog key is as follows:
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Eventlog Application Security System CustomLog
Note that domain controllers record events in the Directory service and File Replication service logs and DNS servers record events in the DNS server.
Each log can contain the following registry values.
|CustomSD||Restricts access to the event log. This value is of type REG_SZ. The format used is Security Descriptor Definition Language (SDDL). Construct an ACL that grants one or more of the following rights:|
To be a syntactically valid SDDL, the CustomSD value must specify an owner and a group owner (for example, O:BAG:SY), but the owner and group owner are not used. If CustomSD is set to a wrong value, an event is fired in the System event log when the event log service starts, and the event log gets a default security descriptor which is identical to the original CustomSD value for the Application log. SACLs are not supported.
For more information, see Event Logging Security.
|DisplayNameFile||This value is not used. |
|DisplayNameID||This value is not used. |
|File||Fully qualified path to the file where each event log is stored. This enables Event Viewer and other applications to find the log files. This value is of type REG_SZ or REG_EXPAND_SZ. This value is optional. If the value is not specified, it defaults to %SystemRoot%\system32\winevt\logs\ followed by a file name that is based on the event log registry key name.|
The specific event log file path should be set using the command line utility wevtutil.exe or by using the EvtSetChannelConfigProperty function with EvtChannelLoggingConfigLogFilePath passed into the PropertyId parameter.
If a specific file is set, make sure that the event log service has full permissions on the file.
This value needs to be a valid file name for a file that is located on a local directory (not a remote computer, not a DOS device, not a floppy, and not a pipe). If the file setting is wrong, an event is fired in the System event log when the event log service starts.
Do not use environment variables, in the path to the file, that cannot be expanded in the context of the event log service.
|MaxSize||Maximum size, in bytes, of the log file. This value is of type REG_DWORD. The value must be set to a multiple of 64K for a System, Application, or Security log. The default value is 1MB.|
|PrimaryModule||This value is not used.|
|Retention|| This value is of type REG_DWORD. The default value is 0. If this value is 0, the records of events are always overwritten. If this value is 0xFFFFFFFF or any nonzero value, records are never overwritten. When the log file reaches its maximum size, you must clear the log manually; otherwise, new events are discarded. You must also clear the log before you can change its size.|
|Sources||This value is not used. |
|AutoBackupLogFiles||This value is of type REG_DWORD, and is used by the event log service to determine whether an event log should be automatically saved. The default value is 0, which disables auto-backup. The service will back up the log file only if the retention value is -1 (0xFFFFFFFF). Other values will be ignored.|
|RestrictGuestAccess||This value is not used. |
Defines the default access permissions for the log. This value is of type REG_SZ. You can specify one of the following values:
L"O:BAG:SYD:" L"(A;;0xf0007;;;SY)" // local system (read, write, clear) L"(A;;0x7;;;BA)" // built-in admins (read, write, clear) L"(A;;0x7;;;SO)" // server operators (read, write, clear) L"(A;;0x3;;;IU)" // INTERACTIVE LOGON (read, write) L"(A;;0x3;;;SU)" // SERVICES LOGON (read, write) L"(A;;0x3;;;S-1-5-3)" // BATCH LOGON (read, write) L"(A;;0x3;;;S-1-5-33)" // write restricted service (read, write) L"(A;;0x1;;;S-1-5-32-573)"; // event log readers (read)
The default permissions for System are (shown using SDDL):
L"O:BAG:SYD:" L"(A;;0xf0007;;;SY)" // local system (read, write, clear) L"(A;;0x7;;;BA)" // built-in admins (read, write, clear) L"(A;;0x3;;;BO)" // backup operators (read, write) L"(A;;0x5;;;SO)" // server operators (read, clear) L"(A;;0x1;;;IU)" // INTERACTIVE LOGON (read) L"(A;;0x3;;;SU)" // SERVICES LOGON (read, write) L"(A;;0x1;;;S-1-5-3)" // BATCH LOGON (read) L"(A;;0x2;;;S-1-5-33)" // write restricted service (write) L"(A;;0x1;;;S-1-5-32-573)"; // event log readers (read)
The default permissions for Custom isolation is the same as Application.
Each log also contains event sources. For more information, see Event Sources.
Build date: 11/21/2012