Windows Event Log Configuration

Windows Event Log Configuration

Windows Event Log configuration determines which events get recorded and how much detail they contain. Proper configuration ensures security-relevant events are captured while avoiding excessive noise that hampers analysis. Advanced Audit Policy Configuration provides granular control over event generation.

Configure audit policies through Group Policy for domain-wide consistency:

# Enable command line auditing
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

# Configure advanced audit policies via PowerShell
$AuditCategories = @(
    "Logon/Logoff:Logon:Success,Failure",
    "Logon/Logoff:Logoff:Success",
    "Logon/Logoff:Account Lockout:Failure",
    "Logon/Logoff:Special Logon:Success",
    "Object Access:File System:Success,Failure",
    "Object Access:Registry:Success,Failure",
    "Privilege Use:Sensitive Privilege Use:Success,Failure",
    "System:Security State Change:Success,Failure"
)

foreach ($category in $AuditCategories) {
    $parts = $category -split ':'
    auditpol /set /subcategory:"$($parts[1])" /$($parts[2].ToLower())
}

Increase log file sizes to prevent event loss during high-activity periods:

# Increase Security log size
wevtutil set-log Security /maxsize:4294967296  # 4GB
wevtutil set-log System /maxsize:2147483648    # 2GB
wevtutil set-log Application /maxsize:1073741824  # 1GB

# Configure log retention
wevtutil set-log Security /retention:true /autobackup:true

# Enable additional logging channels
wevtutil set-log Microsoft-Windows-PowerShell/Operational /enabled:true /maxsize:1073741824
wevtutil set-log Microsoft-Windows-TaskScheduler/Operational /enabled:true

Sysmon extends Windows logging capabilities with detailed process creation, network connection, and file modification events:

<!-- Sysmon configuration for enhanced security logging -->
<Sysmon schemaversion="4.50">
    <EventFiltering>
        <ProcessCreate onmatch="exclude">
            <Image condition="is">C:\Windows\System32\svchost.exe</Image>
        </ProcessCreate>
        <NetworkConnect onmatch="include">
            <DestinationPort>22,23,3389,445,1433,3306</DestinationPort>
        </NetworkConnect>
        <FileCreateTime onmatch="include">
            <TargetFilename condition="end with">.exe</TargetFilename>
            <TargetFilename condition="end with">.dll</TargetFilename>
        </FileCreateTime>
    </EventFiltering>
</Sysmon>