Microsoft has gradually increased the efficiency and effectiveness of its auditing facilities over the years. Modern Windows systems can log vast amounts of information with minimal system impact. With the corresponding decrease in the price of storage media, excuses to not enable and retain these critical pieces of evidence simply don’t stand up to scrutiny. Configuring adequate logging on Windows systems, and ideally aggregating those logs into a SIEM or other log aggregator, is a critical step toward ensuring that your environment is able to support an effective incident response.
This document provides an overview of some of the most important Windows logs and the events that are recorded there. As with all of our Analyst Reference documents, this PDF is intended to provide more detail than a cheat sheet while still being short enough to serve as a quick reference. The PDF also contains links to external resources for further reference.
Event Log Format
Modern Windows systems store logs in the %SystemRoot%\System32\winevt\logs directory by default in
the binary XML Windows Event Logging format, designated by the .evtx extension. Logs can also be stored remotely using log subscriptions. For remote logging, a remote system running the Windows Event
Collector service subscribes to subscriptions of logs produced by other systems. The types of logs to be
collected can be specified at a granular level and transport occurs over HTTPS on port 5986 using WinRM. GPO’s can be used to configure the remote logging facilities on each computer.
Events can be logged in the Security, System and Application event logs or, on modern Windows systems, they may also appear in several other log files. The Setup event log records activities that occurred during installation of Windows. The Forwarded Logs event log is the default location to record events received from other systems. But there are also many additional logs, listed under Applications and Services Logs in Event Viewer, that record details related to specific types of activities. Since these log files are much more targeted than the Security log, they often retain information about events that occurred well before the current Security log has been overwritten. Always look for multiple sources of log information, and don’t forget to look for older log files that may be captured by backup systems or volume shadow copies.
Event IDs have several fields in common:
- Log Name: The name of the Event Log where the event is stored. Useful when processing numerous
logs pulled from the same system.
- Source: The service, Microsoft component or application that generated the event.
- Event ID: A code assigned to each type of audited activity.
- Level: The severity assigned to the event in question.
- User: The user account involved in triggering the activity or the user context that the source was
running as when it logged the event. Note that this field often indicates “System” or a user that is
not the cause of the event being recorded.
- OpCode: Assigned by the source generating the log. It’s meaning is left to the source.
- Logged: The local system date and time when the event was logged.
- Task Category: Assigned by the source generating the log. It’s meaning is left to the source.
- Keywords: Assigned by the source and used to group or sort events.
- Computer: The computer on which the event was logged. This is useful when examining logs
collected from multiple systems, but should not be considered to be the device that caused an event
(such as when a remote logon is initiated, the Computer field will still show the name of the system
logging the event, not the source of the connection).
- Description: A text block where additional information specific to the event being logged is
recorded. This is often the most significant field for the analyst.