Technical Guidance for Windows Event Logging
Download ACSC Protect Technical Guidance for Windows Event Logging (810K PDF), July 2017
Published July 2017
A common theme identified by the Australian Cyber Security Centre (ACSC) while performing investigations on networks is that organisations have insufficient visibility of activity occurring on their workstations and servers. Good visibility of what is happening on an organisation's Microsoft Windows hosts is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to incidents.
This document has been developed by the Australian Signals Directorate (ASD) as a guide to the set-up and configuration of Windows event logging and forwarding. This advice has been developed to support both the detection and investigation of malicious activity – including targeted cyber intrusions – by providing an ideal balance between the collection of important events and managing data volumes. This advice is also designed to complement existing host-based intrusion detection and prevention systems.
This document is intended for information technology and information security professionals.
This document details:
- guidance to increase the retention of local event logs
- guidance for the types of events which can be generated and assessment of their relative value
- guidance for forwarding event logs to a central location to allow for analysis and correlation of activity, and for a longer enterprise-wide retention period, and
- the specific Group Policy settings required to apply the recommended guidance with related implementation notes.
This document does not contain detailed information about analysing the collected event logs.
Table of contents
- Document overview
- Why use Windows event logging?
- Event log retention
- Event configuration
- Account lockout
- Account modifications
- Event forwarding errors
- Event log cleared
- Account logon
- Windows Error Reporting
- Scheduled tasks
- File shares
- WMI auditing
- Process tracking
- Object access auditing
- Windows PowerShell logging
- Event forwarding
- Client configuration
- Server configuration
- Setting forwarded log size
- Adding subscriptions
- Verification and debugging
- Further information
Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.