How to Configure Event Viewer and Windows Event Logs on Windows Server 2025

How to Configure Event Viewer and Windows Event Logs on Windows Server 2025

Event logs are the operational heartbeat of a Windows Server 2025 system. Every logon, service failure, hardware error, application crash, security audit, and system configuration change generates an event that is recorded in structured XML and made available through the Windows Event Log service. Knowing how to navigate Event Viewer, query logs efficiently with PowerShell, forward events to a central collector, and enable the right audit policies is the difference between flying blind and having actionable visibility into your server’s behavior. This tutorial covers the full stack of Windows event log management: from the GUI-based Event Viewer snap-in to the modern Get-WinEvent cmdlet with XPath and FilterHashtable queries, through to event subscriptions and audit policy configuration.

Prerequisites

• Windows Server 2025 (any edition)
• Administrator or Event Log Readers group membership
• PowerShell 5.1 or PowerShell 7.x (both available on Windows Server 2025)
• For event forwarding: WinRM enabled on source servers and a designated Windows Event Collector server
• For audit policy: Group Policy management access if deploying domain-wide

Step 1: Navigate Event Viewer

Open Event Viewer by running eventvwr.msc from a Run dialog or PowerShell prompt. The left-hand tree is organized as follows:

• Windows Logs — The classic logs: Application, Security, Setup, System, Forwarded Events
• Applications and Services Logs — Per-component logs from Windows features and third-party software (e.g., Microsoft > Windows > DHCP-Server, DNS-Server, TaskScheduler)
• Subscriptions — Configured event forwarding subscriptions

The key logs to know are:

• System — OS and driver events: service starts/stops, kernel errors, driver failures, hardware issues
• Security — Audit events: logon/logoff (4624/4625/4634), privilege use, account management, policy changes
• Application — Application-layer events from any software writing to the Application log
• Microsoft-Windows-Sysmon/Operational — If Sysmon is installed, this contains rich process/network telemetry

Step 2: Create Custom Views in Event Viewer

Custom Views allow you to save filtered queries and revisit them quickly. In the Event Viewer GUI, right-click Custom Views and select Create Custom View. Define:

• Logged: Time range (last hour, last 24 hours, custom range)
• Event level: Critical, Error, Warning, Information, Verbose
• By log: Select specific logs
• Includes/Excludes: Filter by Event ID or provider name

A useful pre-built custom view is Administrative Events under Custom Views — it aggregates Critical, Error, and Warning events from all logs.

Step 3: Query Events with wevtutil

The wevtutil command-line tool is available on both Desktop Experience and Server Core. It is useful in batch scripts and for tasks not easily done in PowerShell:

# List all available event logs
wevtutil el

# Get information about a specific log (size, record count, retention)
wevtutil gl System

# Query the last 20 events from the System log
wevtutil qe System /c:20 /rd:true /f:text

# Export a log to an .evtx file for archival or analysis elsewhere
wevtutil epl Security C:LogsSecurity-Export.evtx

# Import and query an exported .evtx file
wevtutil qe C:LogsSecurity-Export.evtx /lf:true /f:text

# Clear a log (requires admin — use with caution)
wevtutil cl Application

Step 4: Use Get-WinEvent (Modern PowerShell Approach)

The Get-EventLog cmdlet is deprecated in PowerShell 7 and should be avoided on new systems. Use Get-WinEvent, which is faster, supports filtering at the provider level (reducing overhead vs. post-fetch filtering), and works with all log types including Applications and Services Logs.

# Get the last 50 events from the System log
Get-WinEvent -LogName System -MaxEvents 50

# List all available logs and their record count
Get-WinEvent -ListLog * | Where-Object {$_.RecordCount -gt 0} |
  Select-Object LogName, RecordCount, IsEnabled |
  Sort-Object RecordCount -Descending |
  Select-Object -First 20

# Get events from a specific provider
Get-WinEvent -ProviderName "Microsoft-Windows-Security-Auditing" -MaxEvents 100

Step 5: Filter Events with FilterHashtable

FilterHashtable is the most efficient way to query events — the filter is applied at the ETW/subscription level, not after retrieval. Always prefer it over piping to Where-Object:

# Find all failed logon attempts (Event ID 4625) in the last 24 hours
Get-WinEvent -FilterHashtable @{
  LogName   = 'Security'
  Id        = 4625
  StartTime = (Get-Date).AddHours(-24)
} | Select-Object TimeCreated, Message

# Find all service failures in the System log
Get-WinEvent -FilterHashtable @{
  LogName = 'System'
  Id      = 7034, 7031, 7023  # Service terminated unexpectedly, crashed, failed
} | Format-Table TimeCreated, Id, Message -AutoSize

# Get all Critical events from all logs in the last 1 hour
Get-WinEvent -FilterHashtable @{
  Level     = 1          # 1=Critical, 2=Error, 3=Warning, 4=Information
  StartTime = (Get-Date).AddHours(-1)
} | Format-Table TimeCreated, LogName, Id, Message -AutoSize

Step 6: Query Events with XPath Filters

XPath queries provide the finest granularity and are what Event Viewer generates internally. They are especially useful for filtering on event data fields:

# XPath query: All successful logons (4624) for a specific user
$xpath = @"
*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']='jsmith']]
"@

Get-WinEvent -LogName Security -FilterXPath $xpath | Select-Object TimeCreated, Message

# XPath: Process creation events (4688) in last 1 hour
$xpath2 = "*[System[(EventID=4688) and TimeCreated[timediff(@SystemTime) <= 3600000]]]"
Get-WinEvent -LogName Security -FilterXPath $xpath2 | Select-Object TimeCreated, Message

Step 7: Enable Audit Policies for the Security Log

The Security log is only as useful as the audit policies you have enabled. Windows Server 2025 uses Advanced Audit Policy Configuration with subcategory granularity. Configure with auditpol:

# View current audit policy settings
auditpol /get /category:*

# Enable auditing of logon events (success and failure)
auditpol /set /subcategory:"Logon" /success:enable /failure:enable

# Enable process creation auditing (critical for security monitoring)
auditpol /set /subcategory:"Process Creation" /success:enable

# Enable account management auditing
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

# Enable object access (needed for file/folder auditing)
auditpol /set /subcategory:"File System" /success:enable /failure:enable

# Export audit policy for documentation/backup
auditpol /backup /file:C:AuditPolicypolicy-backup.csv

Step 8: Configure Event Log Size and Retention

Default log sizes on Windows Server 2025 are often insufficient for compliance or investigation needs. Increase them:

# Set Security log to 512 MB, overwrite as needed
wevtutil sl Security /ms:536870912 /rt:false

# Set System log to 128 MB
wevtutil sl System /ms:134217728 /rt:false

# Via PowerShell — configure using the registry (for scripted deployment)
$logName = "Security"
$maxSizeBytes = 512MB
Set-ItemProperty `
  -Path "HKLM:SYSTEMCurrentControlSetServicesEventLog$logName" `
  -Name "MaxSize" `
  -Value $maxSizeBytes

# Confirm settings
wevtutil gl Security

Step 9: Set Up Event Forwarding and Subscriptions

Centralized event collection allows you to aggregate events from many servers to a single Windows Event Collector (WEC) server. On the collector server:

# Enable the Windows Event Collector service
winrm quickconfig -quiet
wecutil qc -quiet

# Create a subscription using an XML configuration file
wecutil cs C:EventSubscriptionsSecurityEvents.xml

On each source server, ensure WinRM is running and the collector computer account has access to the event logs:

# Enable WinRM on source servers (via GPO or direct)
winrm quickconfig -quiet

# Add the WEC server's computer account to the Event Log Readers group
Add-LocalGroupMember -Group "Event Log Readers" -Member "CONTOSOWEC-SERVER$"

Step 10: Useful PowerShell One-Liners for Common Diagnostics

# Top 10 most frequent event IDs in System log (last 1000 events)
Get-WinEvent -LogName System -MaxEvents 1000 |
  Group-Object Id | Sort-Object Count -Descending |
  Select-Object -First 10 Name, Count

# Find all reboots in the last 30 days
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1074,6005,6006,6008; StartTime=(Get-Date).AddDays(-30)} |
  Select-Object TimeCreated, Id, Message

# List accounts that have logged on interactively today
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).Date} |
  ForEach-Object {
    $xml = [xml]$_.ToXml()
    $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -Expand '#text'
  } | Sort-Object -Unique

# Check for disk errors in the last week
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='disk'; StartTime=(Get-Date).AddDays(-7)} |
  Select-Object TimeCreated, Message

Conclusion

Event Viewer and Windows Event Logs on Windows Server 2025 form a comprehensive visibility layer that underpins both operational troubleshooting and security incident response. By migrating from the deprecated Get-EventLog to Get-WinEvent with FilterHashtable and XPath queries, configuring appropriate log sizes, enabling granular audit subcategories, and centralizing collection via event subscriptions, you create the foundation for a robust monitoring posture. Combine centralized event forwarding with a SIEM or log analysis tool like Microsoft Sentinel to correlate events across your entire Windows estate and detect threats before they escalate.