Bindplane

The Bindplane Developer Hub

Welcome to the Bindplane developer hub. You'll find comprehensive guides and documentation to help you start working with Bindplane as quickly as possible, as well as support if you get stuck. Let's jump right in!

Windows Event Log

Logs Collected

The Windows Event Logs collected are events pulled from the channels that are requested when configuring the log bundle. The image below depicts some of the potential logs that would be pulled from one, or more, systems.

Windows Event Log Example

Log Collection Setup

Configure a Windows Event Log Source

  1. Install the BindPlane Log Agent on the host system.
  2. Login to BindPlane and select the Logs tab.

Logs Tab

  1. Select the Sources tab.

Sources Tab

  1. In the top-right portion of the screen, click on the Add Source Configuration button

Add Source Configuration Button

  1. Choose Windows Event Logs
  2. Fill out the Channels to pull events from. These correspond to the Windows Event Logs that you want monitor from. Monitoring from the Application, System, and Security Logs are all supported.

Example: Windows Logs

Windows Event Log Configuration Form

📘

Subscribing to nonexistent channels

When subscribing to a channel (log) in windows that does not exist, the Application channel will be subscribed to instead.

Enabling Windows Remote Desktop Services Logs

By default, Windows Remote Desktop Services logs are disabled and need to be enabled with group policy. Once setup, events will appear in the Windows Event Viewer security channel.

Windows Event Viewer: Security Channel

Follow these steps to enable RDS logs:

  1. Create a new group policy with any name. This example uses RDS Audit Policy
  2. Edit the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ and define the following Audit Policy settings
    2a. Enable all Account Logon subcategories with Success and Failure
    2b. Logon / Logoff
    Audit Account Lockout: Success and Failure
    Audit Logoff: Success and Failure
    Audit Logon: Success and Failure
    Audit Other Logon / Logon Events: Success and Failure
    Audit Special Login: Success and Failure
  3. Other audit categories can be enabled if desired.

Step 2a.

Step 2b.

Enabling Windows File Share Logs

By default, Windows file share logs are disabled and need to be enabled with group policy. Once setup, events will come into the Windows Event Viewer security channel.

Windows Event Viewer

Follow these steps to enable Windows File Sharing logs:

  1. Create a new group policy with any name. This example uses File Server Audit Policy
  2. Edit the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ and define the following Audit Policy settings:
    2a. Audit Detailed File Share: Success and Failure
    2b. Audit File Share: Success and Failure
    2c. Audit File System: Success and Failure
    2d. Audit Removable Storage: Success and Failure
  3. Other audit categories can be enabled if desired.
  4. Enable auditing on all File Shares that you want to log
    4a. Edit share properties -> security -> advanced -> auditing

Step 4a.

  1. Check Event Viewer to make sure the security log is displaying file share access (failed and successful events).

Updated about a year ago

Windows Event Log


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.