Hi I have a Windows 2012 Server and would like to do some event logging.
But when I go to the event logger I am unable to Enable Logging for the desired events. (I'm logged in as the Administrator account)
Everything is greyed out, the Log path is not available (which is the only thing I can change, but it doesn't save when I press "ok")
I tried right click on the Event Log and choose "Enable Log" but it doesn't work. I tried enabling Auditing in the GPO but that didn't work either.
I have been looking at the GPO and Register but can't find anything related. How can I enable logging on the server?
Another odd thing is that there are a lot of other applications showing under "Applications and Services logs" which usually isn't the case. Normally there is only the "Microsoft" subfolder.
Best Answer
Sorry for not having a sure answer, but I could not reproduce this on 2008 and 2012r2 - all the logs under Microsoft have editable options. I also don't have such logs folders on any of the PCs I checked. Makes one wonder what the heck created all of those. The lower-case 'microsoft' under the standard 'Microsoft' is a red flag for me.
For what it's worth, all the Microsoft events are under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels. There is anEnableoption for each of them, so you could resort to modifying that directly to enable the log. The fact that your option is greyed out makes me think that it's either a registry permission issue, or a ChannelAccess permission issue (each log has a Windows permission string defined, which is news to me since the Event Log does not expose any permissions UI). I would also try running eventvwr.exe as SYSTEM using PsExec.The log path for that particular log you screenshotted should be
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx. I would also check if the permissions - and the actual files - in that folder are intact. No idea what causes it to say "Not Available". This path is not stored in the registry, or at least, not in an obvious way, which makes it even more strange.