Sysadmins live in the logs. However, scrolling through thousands of generic “Information” events destroys the soul. Therefore, stop reading every single line. Instead, filter for the chaos. Here is the cheatsheet for the Event IDs that actually reveal the disaster.
The “Who Rebooted It?” Mystery
Servers rarely commit suicide. Usually, a human killed them. First, check Event ID 1074 in the System log. This specific ID names and shames the user who initiated the restart. Conversely, Event ID 6008 screams trouble. This code indicates the previous shutdown was unexpected, like a pulled power cord. Additionally, Event ID 41 confirms the system rebooted without a clean shutdown first.
MSIExec Nightmares
Software deployment never works the first time. Consequently, you must track the MsiInstaller service closely. Look for Event ID 11707 to confirm a successful installation. On the other hand, Event ID 11708 signals a failure. Furthermore, if you need to see the start of the transaction, filter for Event ID 1040. These logs cut through the vendor’s excuses.
Security Group Shenanigans
Auditors love these events. Furthermore, you should monitor them to prevent a resume-generating event. Event ID 4728 triggers instantly when a member adds to a global security group. Similarly, Event ID 4729 documents a removal. For local admin changes, watch Event ID 4732 (add) and Event ID 4733 (remove). Suddenly, you know exactly who made the intern a Domain Admin.
The “I Didn’t Do It” Lockout
Users always lie about their passwords. But Event ID 4740 tells the cold, hard truth. This event logs every single account lockout on the Domain Controller. Moreover, it lists the “Caller Computer Name.” So, you can pinpoint the exact device hammering the server with bad credentials.
The Cover-Up
Smart attackers clear their tracks. However, Windows leaves a scar. Event ID 1102 in the Security log appears when someone wipes the audit logs. Unless you just ran a maintenance script, treat this as an active breach. Finally, nobody clears logs for fun.
Quick Reference Chart
| Event ID | Log Source | Description |
| 1074 | System | Clean Restart (lists the user responsible) |
| 6008 | System | Unexpected Shutdown (power loss/crash) |
| 41 | System | Kernel Power (rebooted without clean shutdown) |
| 11707 | Application | Installation Successful |
| 11708 | Application | Installation Failed |
| 4728/4729 | Security | Member Added/Removed (Global Group) |
| 4732/4733 | Security | Member Added/Removed (Local Group) |
| 4740 | Security | Account Lockout (lists source machine) |
| 1102 | Security | Audit Log Cleared |