Windows Event Log
Logs Collected
The Windows Event Logs collected are events pulled from the channels that are requested when configuring the log bundle. The image below depicts some of the potential logs that would be pulled from one, or more, systems.
Log Collection Setup
Configure a Windows Event Log Source
- Install the BindPlane Log Agent on the host system.
- Login to BindPlane and select the Logs tab.
- Select the Sources tab.
- In the top-right portion of the screen, click on the Add Source Configuration button
- Choose Windows Event Logs
- Fill out the Channels to pull events from. These correspond to the Windows Event Logs that you want monitor from. Monitoring from the Application, System, and Security Logs are all supported.
Subscribing to nonexistent channels
When subscribing to a channel (log) in windows that does not exist, the Application channel will be subscribed to instead.
Enabling Windows Remote Desktop Services Logs
By default, Windows Remote Desktop Services logs are disabled and need to be enabled with group policy. Once setup, events will appear in the Windows Event Viewer security channel.
Follow these steps to enable RDS logs:
- Create a new group policy with any name. This example uses RDS Audit Policy
- Edit the GPO, browse to
Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\
and define the following Audit Policy settings
2a. Enable all Account Logon subcategories with Success and Failure
2b. Logon / Logoff
Audit Account Lockout: Success and Failure
Audit Logoff: Success and Failure
Audit Logon: Success and Failure
Audit Other Logon / Logon Events: Success and Failure
Audit Special Login: Success and Failure - Other audit categories can be enabled if desired.
Enabling Windows File Share Logs
By default, Windows file share logs are disabled and need to be enabled with group policy. Once setup, events will come into the Windows Event Viewer security channel.
Follow these steps to enable Windows File Sharing logs:
- Create a new group policy with any name. This example uses File Server Audit Policy
- Edit the GPO, browse to
Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\
and define the following Audit Policy settings:
2a. Audit Detailed File Share: Success and Failure
2b. Audit File Share: Success and Failure
2c. Audit File System: Success and Failure
2d. Audit Removable Storage: Success and Failure - Other audit categories can be enabled if desired.
- Enable auditing on all File Shares that you want to log
4a. Edit share properties -> security -> advanced -> auditing
- Check Event Viewer to make sure the security log is displaying file share access (failed and successful events).
Updated over 4 years ago