1

The OS is Windows Server 21H2.

I have enabled folders and files access auditing and in the Windows events viewer. I filter by the 5663 event. I can see the events.

However, for example, if I have an event at 11:00, and I refresh the event viewer with F5, I can't see this event anymore. In fact, if I refresh the events, the events that I show it is different in many times.

I have configure in the security properties of the event viewer that the file size is 20MB, I guess it is big enough to at least store the last hour of logs, but really I lose many events, or at least I don't know how to see them.

So, how could I see all the events, from today and from past days?

Improve this question
3
  • I have realized that in the folder C:\Windows\System32\winevt\Logs I have about 22 files of 20MB with archived logs. So it means that the event view only show the last log file. But It means that each hour it is about20MB.
    – Álvaro García
    Commented Oct 18, 2023 at 10:06
  • That's actually good news. I have updated my answer with some added info that will likely help you.
    – End Antisemitic Hate
    Commented Oct 18, 2023 at 10:19
  • If you still want to avoid third-party software increase the file size limit to 20x the current size. This will let you see all events in the same amount of space that 22 20MB files hold. You don’t mention your archive data retention policies
    – Ramhound
    Commented Oct 18, 2023 at 11:39

1 Answer 1

Reset to default
2

You can use FullEventLogView by Nir Sofer.

It is free (gratis) software and is available here:

https://www.nirsoft.net/utils/full_event_log_view.html

FullEventLogView will allow you to see all the events from today and also from past days. You can customize the software's columns to display exactly the details you want.

The only exception is if you delete the system's event logs. If you do that, you will, of course, only be able to see events since the date and time you performed the deletion.

To view events that are only available with admin privileges, run FullEventLogView as admin. Otherwise, you can run it without elevation and it will work as expected.

Update:

You mentioned that you are concerned about running a third-party application on the server. That's very smart. Fortunately, you don't need to run FullEventLogView on the server.

You can run FullEventLogView on a networked machine, and remotely access the server's event logs. To do this, go to the File menu and select Choose data source. Then select the option to load events from a remote computer.

For even more safety, you can simply copy the server's event log files to a non-networked machine and run FullEventLogView on that non-networked machine. Again, go to the File menu and select Choose data source. But this time, specify the copy of the event log file.

Improve this answer
6
  • Thanks for the suggestion. If I don't find another solution, I will try it, but by the moment I would prefer don't run third-party applications in the server.
    – Álvaro García
    Commented Oct 18, 2023 at 9:58
  • @ÁlvaroGarcía You're welcome. I hear you as far as running third-party applications. That's very smart. Nir's applications are currently closed source, which isn't ideal, but he's been a trusted developer with an unblemished record for over 15 years.
    – End Antisemitic Hate
    Commented Oct 18, 2023 at 10:08
  • @ÁlvaroGarcía Because I do not have the source code to review, I cannot guarantee the application is safe, but I can say in addition to Nir's excellent reputation, I have personally used that application (on non-servers) while closely monitoring its behaviours. I have never detected anything out of the ordinary. Obviously, that only means so much (especially because you don't know me), but I thought I would mention my experiences if they help you.
    – End Antisemitic Hate
    Commented Oct 18, 2023 at 10:08
  • @ÁlvaroGarcía, it is reasonable to be wary of installing anything on a server. That said, 1. Check all software at virustotal.com/gui to have it evaluated by many anti-malware applications. 2. Having used Nirsoft utilities for a number of years, I've had no issues. 3. You do not have to install Full Event Viewer on the machine -- it can access logs over the network.
    – DrMoishe Pippik
    Commented Oct 18, 2023 at 17:16
  • 1
    So I can do it remotely, it is a good alternative. Thanks.
    – Álvaro García
    Commented Oct 19, 2023 at 10:17

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .