Can we detect when the Windows Event Log service has been stopped?
I want to exclude system reboots.
WHen the WIndows Event Log services has been stopped, I can't open the windows event viewer (of course), after a start of the service I can see the events.
Does WIndows still register events, even when the event log service has been stopped?
I did a test with a Windows 7 with admin account, but only in safe mode I could stop this service.
If windows is in safe mode, Siem can't connect to it and thus, I can verify if siem does get these events.