Configure Windows Event Logging
Event types to collect
Capture these types of events from Windows servers and workstations that are permanently connected to your organisation’s network:
- Application
- System
- Security
- Terminal Services (Remote Desktop Services)
Use additional utilities to capture these events:
- Powershell
- Sysmon
See a full list of event categories you should collect, recommended by ACSC, and the utilities you can use to collect them.
Set up log channels
Decide which log channels you want to create and forward to the WEC server. Set up the same event channels on each machine.
The benefits of creating multiple channels are that you can:
- Customise the maximum size and rotation method per channel.
- Tag data for ingestion into SOC.
- Store each channel on a different disk or storage device to improve disk I/O.
In most scenarios, AARNet recommends that you create an event channel for each event type that you’re collecting.
Subscriptions
To collect an event category, you need to add and enable a subscription on the WEC. Create subscriptions for these logs:
- Application
- System
- Security
- Powershell
- Microsoft Defender (if in use)
- Sysmon
- Terminal Services
The subscriptions contain query filters that forward events of potential interest.
Configure EDR
Refer to your EDR documentation to send event logs from mobile phones, tablets, and laptops that are not permanently connected to your organisation’s network.
Send PowerShell logs to event logs
Collect PowerShell logs from Windows servers and endpoints to improve your coverage.
- Open the Group Policy Editor on a Domain Controller.
- Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell.
- Double-click Turn on Module Logging and set it to Enabled. Enter an asterisk (*) in the Module Names box.
- Double-click Turn on PowerShell Script Block Logging and set it to Enabled. Select Log script block invocation start / stop events.
- Double-click Turn on PowerShell Transcription and set it to Enabled. Tick Include invocation headers to record a timestamp for each command executed.
Add sysmon data to event logs
Sysmon (System Monitor) is a tool published by Microsoft that provides greater visibility of system activity than standard Windows logging. It adds information to event logs about the creation of processes, network connections, and any file creation time changes.
Install and run sysmon on every server or fixed endpoint on your environment from which you want to collect operational logs:
- Download sysmon.
- AARNet will provide the configuration file and sample deployment script.
- Deploy sysmon, with the configuration file, to all of your servers and fixed endpoints using a software deployment solution like GPO.
Configure event log retention
Increase the maximum log size for servers and fixed endpoints in Computer Configuration\Policies\Administrative
Templates\Windows Components\Event Log Service
.
ACSC recommends:
Event log | Maximum log size (KB) |
Application | 65536 |
Security | 2097152 |
System | 65536 |
Common event logging setups
A basic Windows event logging setup will look something like this:
Workstations, domain controllers, and servers send event logs to different WEC servers. Those WEC servers collect the log entries and pass them to SOC.
Configure firewall
Open TCP port 5985.