Technical Guidance for Windows Event Logging
Download ACSC Protect: Technical Guidance for Windows Event Logging (PDF), July 2018
First published 2017; updated July 2018
A common theme identified by the Australian Cyber Security Centre (ACSC) while performing investigations is that organisations have insufficient visibility of activity occurring on their workstations and servers. Good visibility of what is happening in an organisation's environment is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to incidents.
This document has been developed as a guide to the set-up and configuration of Windows event logging and forwarding. This advice has been developed to support both the detection and investigation of malicious activity by providing an ideal balance between the collection of important events and management of data volumes. This advice is also designed to complement existing host-based intrusion detection and prevention systems.
This document is intended for information technology and information security professionals. It covers:
- guidance on the types of events which can be generated and an assessment of their relative value
- guidance on centralised collection of event logs
- guidance on the retention of event logs
- recommended Group Policy settings along with implementation notes.
This document does not contain detailed information about analysing event logs.
Accompanying this document is the ACSC's Windows event logging repository. The repository contains configuration files and scripts to implement the recommendations in this document. All files and folders referred to in this document are available from this repository.
Table of contents
- Event log retention
- Event configuration
- Account lockout
- Account modifications
- Event collection
- Account logon
- Process tracking
- Enhanced Mitigation Experience Toolkit
- Windows Defender
- Windows Error Reporting
- Code integrity
- File shares
- Scheduled tasks
- Windows Management Instrumentation auditing
- NTLM authentication
- Object access auditing
- PowerShell logging
- Event forwarding
- Client configuration
- Server configuration
- Setting forwarded log size
- Adding subscriptions
- Verification and debugging
- Further information
- Contact details
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing email@example.com or calling 1300 CYBER1 (1300 292 371).