Site icon Graylog

Windows Security Event Log Best Practices

If your company is like many others, it probably invested heavily in the Microsoft ecosystem. Microsoft has been around since the 1980s, focusing primarily on business technologies. It has a reputation for compatibility which gives you more purchasing options across devices and accessories. Unfortunately, this reach across corporate IT environments means that malicious actors target everything associated with Microsoft. For example, the November 2022 Patch Tuesday fixed six exploited zero-days and eleven “critical” vulnerabilities.

To protect yourself, you can collect and analyze Windows security event logs with these best practices.

What are Windows security event logs?

The Windows operating system stores detailed and in-depth records, called Windows event logs, about system, security, and application events. Windows security event logs, or security auditing logs, provide data about activities that can help you identify abnormal activity that could indicate a malicious actor gained unauthorized access to systems, networks, or devices.

To help detect security events, Microsoft build the Windows security auditing feature that you can use to:


Two types of Windows security event logs exist:

Microsoft offers two types of security audit policies:


What are the categories of security audit events?

Microsoft defines nine basic security audit events. When you turn on auditing for a category, your Windows OS generates data that gives you insight into activities.

Audit account logon

These security events tell you when domain controllers or local computers authenticate a user’s access. The default setting is “success.”


Audit account management

These audit logs tell you about account management activities for:


The default settings are:


Audit directory service access

This security audit log tells you whether a user accesses an Active Directory object with its own system access control list (SACL).

The default settings are:


Audit logon events

This security audit provides information about users logging on to or off from a device. Often, you will want to correlate these with account logon events.

Audit object access

This security event log tells you when a user accesses objects that have their own SACL specified, like:


The default setting is no auditing.


Audit policy change

This audit event tells you about changes to:


The default settings are:


Audit privilege use

This security audit tells you every time a user exercises a user rights.

The default setting is “no auditing.”

Even if you turn on success audit or failure audit within this category, Microsoft makes you take additional steps to audit the following user rights because auditing them can slow down a computer:

Audit process tracking

These security audits tell you about detailed tracking information for events like:

The default setting is “no auditing.”


Audit system events

These security audits tell you when users restart or shut down their computers. They also provide information about events that affect the system security or security log.

The default settings are:


Windows Security Event Log Best Practices

Without planning, your Windows audit policies can generate high volumes of data that become overwhelming. To effectively use Windows security event lo gs for both security and compliance, you should follow some basic strategies.

Establish clear goals and objectives

At the highest level, you need to understand the logical grouping of resources and activiti es that require auditing.

Data and resources

Sensitive data is the foundation of your security auditing so you may want to consider how features in Microsoft SQL Server and Microsoft Server can help you monitor this information.

Some examples of resources classes and where they are stored include:



Some users require more monitoring than others. You may want to set audit policies for users with access to sensitive data, those who have privileged access, or external users.

Some examples of users might be:



Depending on the device type, you may want to create unique audit policies to limit the amount of data generated. Your analysis and monitoring should consider:

Regulatory Requirements

If your company needs to comply with a regulation or industry framework, your security audit policies should align to these.


Map policy to groups of users, computers, and resources

Group Policies enable you to create defined user, computer, and resource groups to make applying security policies easier.

To get started using Group Policies you can:


Choose audit settings

Once you define your requirements and start mapping your policies, you can use different audit settings to help achieve your goals.


Data and resource activity

Once you know where your company stores sensitive data, you can set audit policies like:

User activity

In a world where zero trust architectures (ZTA) are increasingly important, monitoring user activity is critical.

Some security audit settings that you might want to use include:


Network activity

Network activity monitoring can detect issues not covered by data or user monitoring categories.


Some security audit settings that might help you are:


Monitor and manage security auditing

Even in a relatively small IT environment, networks generate high volumes of security event logs that you need to monitor and manage. To get the full value from your Windows security event logs, you must decide how you plan to collect, aggregate, store, correlate, and analyze the data. For example, you need to decide whether you plan to store everything on a local computer or in a central console.

When planning your storage, you need to determine how you plan to manage event log size, including whether to:


Additional security event log settings that you can find in GPMC location Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security include:


Graylog Security: Centralized Log Management for Windows Event Security Logging


Graylog Security and our Windows Event Logs Content Pack applies normalization of common event log fields to all Windows event log messages that enrich critical security event log IDs. Graylog ingests logs with both NXLog community edition or Winlogbeat from your Windows event logs into Graylog.

With Graylog, you can collect, aggregate, correlate, and analyze all your Windows security event logs in a single location to maximize your data’s value. With Graylog Extended Log Format (GELF), you can ingest log data from any source and normalize it for enhanced observability and visibility. By bringing together all your security and operations activities within Graylog, you make quantifiable gains in your operational and cybersecurity postures by making sense of your data.

To see how Graylog can help you, contact us today.


Exit mobile version