Technical Guidance for Windows Event Logging

Download ACSC Protect Technical Guidance for Windows Event Logging (810K PDF), July 2017
Published July 2017


A common theme identified by the Australian Cyber Security Centre (ACSC) while performing investigations on networks is that organisations have insufficient visibility of activity occurring on their workstations and servers. Good visibility of what is happening on an organisation's Microsoft Windows hosts is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to incidents.

This document has been developed by the Australian Signals Directorate (ASD) as a guide to the set-up and configuration of Windows event logging and forwarding. This advice has been developed to support both the detection and investigation of malicious activity – including targeted cyber intrusions – by providing an ideal balance between the collection of important events and managing data volumes. This advice is also designed to complement existing host-based intrusion detection and prevention systems.

This document is intended for information technology and information security professionals.

Document overview

This document details:

This document does not contain detailed information about analysing the collected event logs.

Table of contents


Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.