ACSC programs and advice are being migrated to cyber.gov.au (see sidebar)

Technical Guidance for Windows Event Logging

Download ACSC Protect: Technical Guidance for Windows Event Logging (PDF), July 2018
First published 2017; updated July 2018

Introduction

A common theme identified by the Australian Cyber Security Centre (ACSC) while performing investigations is that organisations have insufficient visibility of activity occurring on their workstations and servers. Good visibility of what is happening in an organisation's environment is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to incidents.

This document has been developed as a guide to the set-up and configuration of Windows event logging and forwarding. This advice has been developed to support both the detection and investigation of malicious activity by providing an ideal balance between the collection of important events and management of data volumes. This advice is also designed to complement existing host-based intrusion detection and prevention systems.

This document is intended for information technology and information security professionals. It covers:

  • guidance on the types of events which can be generated and an assessment of their relative value
  • guidance on centralised collection of event logs
  • guidance on the retention of event logs
  • recommended Group Policy settings along with implementation notes.

This document does not contain detailed information about analysing event logs.

Accompanying this document is the ACSC's Windows event logging repository. The repository contains configuration files and scripts to implement the recommendations in this document. All files and folders referred to in this document are available from this repository.

Table of contents

  • Introduction
  • Considerations
  • Event log retention
  • Event configuration
    • Sysmon
    • Account lockout
    • Account modifications
    • Event collection
    • Account logon
    • Process tracking
    • AppLocker
    • Enhanced Mitigation Experience Toolkit
    • Services
    • Windows Defender
    • Windows Error Reporting
    • Code integrity
    • File shares
    • Scheduled tasks
    • Windows Management Instrumentation auditing
    • NTLM authentication
    • Object access auditing
    • PowerShell logging
  • Event forwarding
    • Scalability
    • Client configuration
    • Server configuration
      • Setting forwarded log size
      • Adding subscriptions
      • Verification and debugging
      • Archiving
  • Further information
  • Contact details

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website, cyber.gov.au, to reflect its new organisation.

Cyber security programs and advice are being migrated to cyber.gov.au. Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies