Message

The event logging service encountered an error %1 while obtaining or processing configuration for channel %2.

Fields

Message

The event logging service encountered a configuration-related error (res=%1) for channel %2. The error was encountered while processing the %3 configuration property.

Fields

Message

The event logging service encountered an error while initializing publishing resources for channel %2. If channel type is Analytic or Debug, then this could mean there was an error initializing logging resources as well.

Fields

Message

The event logging service encountered an error (res=%1) while initializing logging resources for channel %2.

Fields

Message

The event logging service encountered a corrupt log file for channel %1. The log was renamed with a .corrupt extension.

Fields

Message

The event logging service encountered a log file for channel %1 which is an unsupported version. The log was renamed with a .UnsupportedVer extension.

Fields

Message

The event logging service encountered an error (res=%1) while opening log file for channel %2. Trying again using default log file path %3.

Fields

Message

The event logging service encountered an error (res=%1) while parsing filter for channel %2. Will continue without filter.

Fields

Message

The event logging service encountered a fatal error (res=%1) when applying settings to the %2 channel. The service is shutting down since this channel is vital to its operation.

Fields

Message

The event logging service encountered an error (%1) while enabling publisher %3 to channel %2. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.

Fields

Message

The event logging service encountered an error (res=%1) while opening configuration for primary channel %2. Trying again using default configuration. This problem usually occurs if registry has been corrupted or explicitly misconfigured.

Fields

Message

The event logging service encountered an error when attempting to apply one or more policy settings.

Fields

Message

The event logging service encountered an error while processing an incoming event published from %3.

Fields

Message

The event logging service encountered an error while processing an incoming event from publisher %3 and trying to process the metadata for it.

Fields

Message

Events have been dropped by the transport.  The session name is %2 and the reason code is %1.

Fields

Message

The %3 log file was cleared.

Fields

Example Event

system:
  provider: Microsoft-Windows-Eventlog
  guid: '{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'
  event_source_name: ''
  event_id: 104
  version: 1
  level: 4
  task: 104
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-10-25T22:53:10.300656+00:00'
  event_record_id: 1453
  correlation: {}
  execution:
    process_id: 1796
    thread_id: 2028
  channel: System
  computer: WinDevEval
  security:
    user_id: S-1-5-21-2533829718-189860685-2477588761-500
user_data:
  LogFileCleared:
    SubjectUserName: Administrator
    SubjectDomainName: WINDEVEVAL
    Channel: Application
    BackupPath: null
    ClientProcessId: 4544
    ClientProcessStartKey: 2533274790396090
message: ''

Community Notes

Sigma Rules

• Eventlog Cleared
  One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
• Important Windows Eventlog Cleared
  Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Event log automatic backup
	Log:	%1
	File:	%2

Fields

Example Event

system:
  provider: Microsoft-Windows-Eventlog
  guid: '{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'
  event_source_name: ''
  event_id: 105
  version: 0
  level: 4
  task: 105
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2012-03-26T05:50:08.470644Z'
  event_record_id: 13049
  correlation: {}
  execution:
    process_id: 772
    thread_id: 4256
  channel: System
  computer: WKS-WIN764BITB.shieldbase.local
  security:
    user_id: ''
user_data:
  AutoBackup:
    xmlns:auto-ns3: http://schemas.microsoft.com/win/2004/08/events
    Channel: Application
    BackupPath: C:\Windows\System32\Winevt\Logs\Archive-Application-2012-03-26-05-50-01-755.evtx

Message

Corruption was detected in the log for the %1 channel and some data was erased.

Fields

Message

The event logging service encountered an error %1 while going through publisher configuration. The publisher %2 is already installed with GUID %3.

Fields

Message

The previous system shutdown was unexpected.

Fields

Message

The event logging service encountered an error while processing an incoming event from publisher %3 and trying to process the metadata for it.

Fields

Message

Loading metadata for publisher %2 (%1) and trying to process the metadata for it.

Fields

Message

Finished loading metadata for publisher %2 (%1), with %3 event metadatas processed.

Fields

Message

Failed to load metadata for publisher %2 (%1). The reason code is %3.

Fields

Message

Channel %1 (%2) was enabled (%3) programmatically.

Fields

Message

A push subscription was created for %1.

Fields

Message

A pull subscription was created for %1.

Fields

Message

OpenEventLog legacy API was used to open %2.

Fields

Message

RegisterEventSource legacy API was used to register %2.

Fields

Message

ReportEvent legacy API was used to write an event to %2.

Fields

Message

The event logging service has shut down.

Fields

Example Event

system:
  provider: Microsoft-Windows-Eventlog
  guid: '{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'
  event_source_name: ''
  event_id: 1100
  version: 0
  level: 4
  task: 103
  opcode: 0
  keywords: 4620693217682128896
  time_created: '2023-11-05T22:31:36.994928+00:00'
  event_record_id: 3371
  correlation: {}
  execution:
    process_id: 1816
    thread_id: 1352
  channel: Security
  computer: WinDev2310Eval
  security:
    user_id: ''
user_data:
  ServiceShutdown: {}
message: ''

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Audit events have been dropped by the transport.  %1

Fields

References

• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1101

Message

The audit log was cleared.
Subject:
	Security ID:	%1
	Account Name:	%2
	Domain Name:	%3
	Logon ID:	%4

Fields

Example Event

system:
  provider: Microsoft-Windows-Eventlog
  guid: '{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'
  event_source_name: ''
  event_id: 1102
  version: 1
  level: 4
  task: 104
  opcode: 0
  keywords: 4620693217682128896
  time_created: '2023-10-25T22:53:10.300656+00:00'
  event_record_id: 2625
  correlation: {}
  execution:
    process_id: 1796
    thread_id: 2028
  channel: Security
  computer: WinDevEval
  security:
    user_id: ''
user_data:
  LogFileCleared:
    SubjectUserSid: S-1-5-21-2533829718-189860685-2477588761-500
    SubjectUserName: Administrator
    SubjectDomainName: WINDEVEVAL
    SubjectLogonId: '0x42eea'
    ClientProcessId: 4544
    ClientProcessStartKey: 2533274790396090
message: ''

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The security log is now %1 percent full.

Fields

Message

The security log is now full.

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1104
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1104

Message

Event log automatic backup
	Log:	%1
	File:	%2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1105
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1105

Message

Events have been dropped by the event logging service. The reason code is %1.

Fields

Message

The event logging service encountered an error while processing an incoming event from publisher %3 and trying to process the metadata for it.

Fields

Example Event

system:
  provider: Microsoft-Windows-Eventlog
  guid: '{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'
  event_source_name: ''
  event_id: 1107
  version: 0
  level: 2
  task: 101
  opcode: 0
  keywords: 4620693217682128896
  time_created: '2016-08-18T16:53:04.313375Z'
  event_record_id: 5538
  correlation: {}
  execution:
    process_id: 716
    thread_id: 1128
  channel: Security
  computer: IE10Win7
  security:
    user_id: ''
user_data:
  EventPublisherMetaDataFailure:
    '#attributes':
      xmlns:auto-ns3: http://schemas.microsoft.com/win/2004/08/events
      xmlns: http://manifests.microsoft.com/win/2004/08/windows/eventlog
    Error:
      '#attributes':
        Code: 15002
    EventID: 0
    PublisherName: null
    PublisherGuid: 54849625-5478-4994-A5BA-3E3B0328C30D
    ProcessID: 0

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The event logging service encountered an error while processing an incoming event published from %3.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1108
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1108

Message

The %1 log file is full.

Fields