Setting the Event Level for a Text Log

SetupAPI writes a log entry to a text log only if the event level set for a text log is greater than or equal to the event level for the log entry, and the event category for the log entry is enabled for the text log.

The following table lists the event levels that SetupAPI supports and the manifest constants that represent these event levels. TXTLOG_ERROR is the lowest event level, followed by the next highest event level TXTLOG_WARNING, and so on. TXTLOG_VERY_VERBOSE is the highest event level.

Write errors only.

Write errors and warnings of potential problems.

Write errors, warnings, and system state changes.

Write errors, warnings, system state changes, and high-level operations that are associated with state changes.

Write errors, warnings, system state changes, high-level operations that are associated with state changes, and most operational details.

Write errors, warnings, system state changes, high-level operations that are associated with state changes, and all operational details.

Write all log entries, including those that might generate a large amount of information that is frequently superfluous.

To set the event level for the SetupAPI text logs, create (or modify) the following REG_DWORD registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\LogLevel

If the LogLevel registry value does not exist or has a value of zero, SetupAPI sets the event level for the application installation and device installation text logs to the default values described in the following table:

Event level	Event level manifest constant	Event level manifest value

Application installation text log (SetupAPI.app.log)

Device installation text log (SetupAPI.dev.log)

For more information about these text log files, see SetupAPI Text Logs.

The LogLevel registry value is formatted as 0xUUUUGHVW, where:

The low-order eight bits, represented by the mask 0x000000VW, specify whether logging is turned on for the application installation log and specify the event level for the application log.

The next highest eight bits, represented by the mask 0x0000GH00, specify whether logging is turned on for the device installation text log and specify the event level for the device installation text log.

The highest-level bits, represented by the mask 0xUUUU0000, are not used.

The value of the 0xVW bits controls logging for the application installation log as shown in the following table.

Text log	Default value (Windows 7 and later versions)	Default value (Windows Vista SP2)	Default value (Windows Vista SP1 and previous versions)

Logging is turned on and the event level is set to the default value as described previously.

0x01 through 0x0F

Turns logging off.

0x10 through 0x7F

Turns logging on and sets the event level to 0xV.

The value of the 0xGH bits controls logging for the device installation text log as shown in the following table.

0xVW value	Description

Logging is turned on and the event level is set to the default value as described previously.

0x01 through 0x0F

Turns logging off.

0x10 through 0x7F

Turns logging on and sets the event level to 0xG.

The following table provides examples of typical LogLevel values.

0xGH value	Description

By default, turns logging on for the application installation log and the device installation log. Sets the logging level to the default values for both logs.

Turns logging off for both the application installation log and the device installation log.

Turns logging on for the application installation log and the device installation log. Sets the logging level to TXTLOG_ERROR for both logs.

Turns logging on for the application installation log and the device installation log. Sets the logging level to TXTLOG_WARNING for both logs.

Turns logging on for the application installation log and the device installation log. Sets the logging level to TXTLOG_DETAILS for both logs.

Turns logging on for the application installation log and the device installation log. Sets the logging level to TXTLOG_VERBOSE for both logs.

Turns logging on for the application installation log and the device installation log. Sets the logging level to TXTLOG_VERY_VERBOSE for both logs.

Event Logging (Windows Installer)

Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log. Prior to WindowsВ Vista, you would use either Event Tracing for Windows (ETW) or Event Logging to log events. WindowsВ Vista introduced a new eventing model that unifies both ETW and the Windows Event Log API.

The installer also writes entries into the event log. These record events such as following:

• Success or failure of the installation; removal or repair of a product.
• Errors that occur during product configuration.
• Detection of corrupted configuration data.

If a large amount of information is written, the Event Log file can become full and the installer displays the message, «The Application log file is full.»

The installer may write the following entries in the event log. All event log messages have a unique event ID. All general errors authored in the Error table that are returned for an installation that fails are logged in the Application Event Log with a message ID equal to the Error + 10,000. For example, the error number in the Error table for an installation completed successfully is 1707. The successful installation is logged in the Application Event Log with a message ID of 11707 (1707 + 10,000).

For information about how to enable verbose logging on a user’s computer when troubleshooting deployment, see Windows Installer Best Practices.

Set-Event Log Level

This cmdlet is available only in on-premises Exchange.

Use the Set-EventLogLevel cmdlet to set the event log level registry value for the specified category.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

Description

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they’re not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Examples

Example 1

This example sets the event log level to High for the MSExchangeTransport\SmtpReceive event logging category on the Exchange server Exchange01.

Note: Run the Get-EventLogLevel cmdlet to retrieve a list of the event categories on your server. For more information, see Get-EventLogLevel.

Parameters

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

• Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false .
• Most other cmdlets (for example, New-* and Set-* cmdlets) don’t have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.

LogLevel value	Event levels set for the text logs

Type:	SwitchParameter
Aliases:	cf
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False
Applies to:	Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

The Identity parameter specifies the name of the event logging category for which you want to set the event logging level.

Type:	ECIdParameter
Position:	1
Default value:	None
Accept pipeline input:	True
Accept wildcard characters:	False
Applies to:	Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

The Level parameter specifies the log level for the specific event logging category. The valid values are:

• Lowest
• Low
• Medium
• High
• Expert

Type:	ECIdParameter
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False
Applies to:	Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don’t need to specify a value with this switch.

Type:	SwitchParameter
Aliases:	wi
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False
Applies to:	Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

Inputs

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Outputs

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

How to configure Active Directory and LDS diagnostic event logging

This step-by-step article describes how to configure Active Directory diagnostic event logging in Microsoft Windows Server operating systems.

Original product version: В Windows Server 2019, , Windows Server 2016, Windows Server 2012 R2, Windows 7 Service Pack 1
Original KB number: В 314980

Summary

Active Directory records events to the Directory Services or LDS Instance log in Event Viewer. You can use the information that is collected in the log to help you diagnose and resolve possible problems or monitor the activity of Active Directory-related events on your server.

By default, Active Directory records only critical events and error events in the Directory Service log. To configure Active Directory to record other events, you must increase the logging level by editing the registry.

Active Directory diagnostic event logging

The registry entries that manage diagnostic logging for Active Directory are stored in the following registry subkeys.

Domain controller: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
LDS: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ \Diagnostics

Each of the following REG_DWORD values under the Diagnostics subkey represents a type of event that can be written to the event log:

1. Knowledge Consistency Checker (KCC)
2. Security Events
3. ExDS Interface Events
4. MAPI Interface Events
5. Replication Events
6. Garbage Collection
7. Internal Configuration
8. Directory Access
9. Internal Processing
10. Performance Counters
11. Initialization/Termination
12. Service Control
13. Name Resolution
14. Backup
15. Field Engineering
16. LDAP Interface Events
17. Setup
18. Global Catalog
19. Inter-site Messaging
20. Group Caching
21. Linked-Value Replication
22. DS RPC Client
23. DS RPC Server
24. DS Schema
25. Transformation Engine
26. Claims-Based Access Control

Logging levels

Each entry can be assigned a value from 0 through 5, and this value determines the level of detail of the events that are logged. The logging levels are described as:

• 0 (None): Only critical events and error events are logged at this level. This is the default setting for all entries, and it should be modified only if a problem occurs that you want to investigate.
• 1 (Minimal): High-level events are recorded in the event log at this setting. Events may include one message for each major task that is performed by the service. Use this setting to start an investigation when you do not know the location of the problem.
• 2 (Basic)
• 3 (Extensive): This level records more detailed information than the lower levels, such as steps that are performed to complete a task. Use this setting when you have narrowed the problem to a service or a group of categories.
• 4 (Verbose)
• 5 (Internal): This level logs all events, including debug strings and configuration changes. A complete log of the service is recorded. Use this setting when you have traced the problem to a particular category of a small set of categories.

How to configure Active Directory diagnostic event logging

To configure Active Directory diagnostic event logging, follow these steps.

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information, see How to back up and restore the registry in Windows.

Select Start, and then select Run.

In the Open box, type regedit, and then select OK.

Locate and select the following registry keys.

Domain controller: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
LDS: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ \Diagnostics

Each entry that’s displayed in the right pane of the Registry Editor window represents a type of event that Active Directory can log. All entries are set to the default value of 0 (None).

Configure event logging for the appropriate component:

1. In the right pane of Registry Editor, double-click the entry that represents the type of event for which you want to log. For example, Security Events.
2. Type the logging level that you want (for example, 2) in the Value data box, and then select OK.

Repeat step 4 for each component that you want to log.

On the Registry menu, select Exit to quit Registry Editor.

• Logging levels should be set to the default value of 0 (None) unless you are investigating an issue.
• When you increase the logging level, the detail of each message and the number of messages that are written to the event log also increase. A diagnostic level of 3 or greater is not recommended, because logging at these levels requires more system resources and can degrade the performance of your server. Make sure that you reset the entries to 0 after you finish investigating the problem.