Windows Event Log

Logs Collected

The Windows Event Logs collected are events pulled from the channels that are requested when configuring the log bundle. The image below depicts some of the potential logs that would be pulled from one, or more, systems.

Windows Event Log ExampleWindows Event Log Example

Windows Event Log Example

Log Collection Setup

Configure a Windows Event Log Source

  1. Install the BindPlane Log Agent on the host system.
  2. Login to BindPlane and select the Logs tab.
Logs TabLogs Tab

Logs Tab

  1. Select the Sources tab.
Sources TabSources Tab

Sources Tab

  1. In the top-right portion of the screen, click on the Add Source Configuration button
Add Source Configuration ButtonAdd Source Configuration Button

Add Source Configuration Button

  1. Choose Windows Event Logs
  2. Fill out the Channels to pull events from. These correspond to the Windows Event Logs that you want monitor from. Monitoring from the Application, System, and Security Logs are all supported.
Example: Windows LogsExample: Windows Logs

Example: Windows Logs

Windows Event Log Configuration FormWindows Event Log Configuration Form

Windows Event Log Configuration Form

📘

Subscribing to nonexistent channels

When subscribing to a channel (log) in windows that does not exist, the Application channel will be subscribed to instead.

Enabling Windows Remote Desktop Services Logs

By default, Windows Remote Desktop Services logs are disabled and need to be enabled with group policy. Once setup, events will appear in the Windows Event Viewer security channel.

Windows Event Viewer: Security ChannelWindows Event Viewer: Security Channel

Windows Event Viewer: Security Channel

Follow these steps to enable RDS logs:

  1. Create a new group policy with any name. This example uses RDS Audit Policy
  2. Edit the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ and define the following Audit Policy settings
    2a. Enable all Account Logon subcategories with Success and Failure
    2b. Logon / Logoff
    Audit Account Lockout: Success and Failure
    Audit Logoff: Success and Failure
    Audit Logon: Success and Failure
    Audit Other Logon / Logon Events: Success and Failure
    Audit Special Login: Success and Failure
  3. Other audit categories can be enabled if desired.
Step 2a.Step 2a.

Step 2a.

Step 2b.Step 2b.

Step 2b.

Enabling Windows File Share Logs

By default, Windows file share logs are disabled and need to be enabled with group policy. Once setup, events will come into the Windows Event Viewer security channel.

Windows Event ViewerWindows Event Viewer

Windows Event Viewer

Follow these steps to enable Windows File Sharing logs:

  1. Create a new group policy with any name. This example uses File Server Audit Policy
  2. Edit the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ and define the following Audit Policy settings:
    2a. Audit Detailed File Share: Success and Failure
    2b. Audit File Share: Success and Failure
    2c. Audit File System: Success and Failure
    2d. Audit Removable Storage: Success and Failure
  3. Other audit categories can be enabled if desired.
  4. Enable auditing on all File Shares that you want to log
    4a. Edit share properties -> security -> advanced -> auditing
Step 4a.Step 4a.

Step 4a.

  1. Check Event Viewer to make sure the security log is displaying file share access (failed and successful events).