Back to Home

Windows Security Event Logging Guide

A comprehensive guide to configuring, monitoring, and analyzing Windows Security event logs for enterprise threat detection, incident response, and compliance requirements.

What Is Windows Security Event Logging

Windows Security event logging is the native auditing capability built into Windows operating systems that records security-relevant activities in the Windows Security event log. This subsystem captures authentication attempts, privilege usage, object access, policy modifications, and system-level security events, creating a comprehensive audit trail that forms the foundation of enterprise security monitoring.

The Security event log differs from other Windows event logs (Application, System, Setup) in that it exclusively records security-related events and requires specific audit policies to be enabled. By default, Windows systems log minimal security events. Organizations must configure audit policies to capture the events necessary for threat detection, compliance requirements, and forensic investigations.

Security events are identified by unique Event IDs, each representing a specific type of activity. For example, Event ID 4624 indicates a successful logon, while Event ID 4625 indicates a failed logon attempt. Understanding these Event IDs and their significance is essential for security analysts conducting threat hunting, incident response, or compliance auditing.

Why Event Logging Matters for Security

Security event logs serve as the primary data source for detecting malicious activity on Windows systems. When attackers compromise a network, they inevitably generate events: authentication attempts, process executions, privilege escalations, and network connections. Without proper logging, these activities go undetected, giving attackers unlimited time to achieve their objectives.

Threat Detection

Security events enable detection of brute force attacks, credential theft, lateral movement, privilege escalation, malware execution, and data exfiltration. SIEM platforms and detection rules rely on these events to identify attacks in progress.

Incident Response

When a security incident occurs, event logs provide the forensic evidence needed to understand what happened, when it occurred, which accounts were involved, and what systems were affected. Without logs, investigations cannot establish timelines or scope.

Compliance Requirements

Regulatory frameworks including PCI DSS, HIPAA, SOX, and GDPR require organizations to maintain audit logs of system access and security events. Proper event logging is mandatory for compliance and audit readiness.

Insider Threat Detection

Event logs reveal unauthorized access attempts, privilege abuse, and policy violations by internal users. Monitoring privileged account activity and sensitive data access helps identify insider threats before damage occurs.

Important: The average time to detect a breach is 197 days according to industry reports. Proper event logging and monitoring significantly reduces detection time, limiting the damage attackers can cause.

Windows Event Log Architecture

Understanding the Windows event logging architecture helps administrators configure logging effectively and troubleshoot collection issues. The Windows Event Log service (eventlog) manages event collection, storage, and retrieval across all log channels.

Core Event Log Channels

Windows organizes events into distinct log channels, each serving a specific purpose:

Security Log

Location: %SystemRoot%\System32\winevt\Logs\Security.evtx

Contains all security audit events including logons, privilege use, object access, and policy changes. Requires audit policy configuration to populate. Only SYSTEM and Administrators can read this log by default.

System Log

Location: %SystemRoot%\System32\winevt\Logs\System.evtx

Records events from Windows system components, drivers, and services. Contains service start/stop events, driver failures, and system errors relevant to security investigations.

Application Log

Location: %SystemRoot%\System32\winevt\Logs\Application.evtx

Contains events from applications and programs. Security-relevant events include antivirus detections, application crashes from exploitation attempts, and authentication events from applications.

PowerShell Operational Log

Location: Microsoft-Windows-PowerShell/Operational

Records PowerShell script execution, module loading, and command history when Script Block Logging is enabled. Critical for detecting fileless malware and living-off-the-land attacks.

Event Structure

Each Windows Security event contains structured data that provides context about the recorded activity:

  • Event ID: Unique numeric identifier for the event type (e.g., 4624 for successful logon)
  • Source: The provider that generated the event (e.g., Microsoft-Windows-Security-Auditing)
  • Level: Event severity (Information, Warning, Error, Critical)
  • Task Category: Subcategory within the audit policy (e.g., Logon, Logoff, Account Management)
  • Keywords: Classification flags (Audit Success, Audit Failure)
  • TimeCreated: UTC timestamp when the event was generated
  • Computer: Hostname of the system that generated the event
  • EventData: XML payload containing event-specific details (usernames, IP addresses, process information)

Audit Policy Categories

Windows Advanced Audit Policy Configuration provides granular control over which security events are recorded. Understanding these categories is essential for configuring comprehensive security monitoring without generating excessive noise.

Account Logon

Audits credential validation events. On domain controllers, this captures Kerberos authentication (4768, 4769, 4771) and NTLM authentication events. On member servers and workstations, this captures local account credential validation.

Key Events: 4768 (Kerberos TGT Request), 4769 (Kerberos Service Ticket), 4776 (NTLM Credential Validation)

Account Management

Tracks creation, modification, and deletion of user accounts, computer accounts, and security groups. Essential for detecting unauthorized account creation, privilege escalation through group membership changes, and backdoor account creation.

Key Events: 4720 (User Created), 4722 (User Enabled), 4732 (Member Added to Group), 4728 (Member Added to Global Group)

Detailed Tracking

Monitors process creation, termination, handle manipulation, and DPAPI activity. Process creation auditing (4688) is critical for tracking malware execution and command-line activity. Enable command-line logging for maximum visibility.

Key Events: 4688 (Process Creation), 4689 (Process Termination), 4697 (Service Installed)

Logon/Logoff

Records interactive, network, batch, service, and remote interactive logon sessions. This category captures the authentication events most commonly used for detecting brute force attacks, pass-the-hash, and lateral movement.

Key Events: 4624 (Successful Logon), 4625 (Failed Logon), 4634 (Logoff), 4647 (User-Initiated Logoff), 4648 (Explicit Credential Logon)

Object Access

Audits access to securable objects including files, folders, registry keys, and kernel objects. Requires System Access Control Lists (SACLs) on individual objects. High volume but essential for monitoring sensitive data access.

Key Events: 4663 (Object Access Attempt), 4656 (Handle Requested), 4660 (Object Deleted), 4670 (Permissions Changed)

Policy Change

Monitors modifications to security policies, audit policies, and authentication policies. Attackers often modify policies to disable logging or weaken security controls. Any policy change should trigger immediate investigation.

Key Events: 4719 (Audit Policy Changed), 4739 (Domain Policy Changed), 4713 (Kerberos Policy Changed)

Privilege Use

Records usage of sensitive privileges such as SeDebugPrivilege, SeTakeOwnershipPrivilege, and SeBackupPrivilege. These privileges are commonly abused by attackers for credential dumping, privilege escalation, and defense evasion.

Key Events: 4672 (Special Privileges Assigned), 4673 (Privileged Service Called), 4674 (Operation Attempted on Privileged Object)

System

Audits system-level events including security subsystem startup, shutdown, and security log operations. Essential for detecting log tampering, security service manipulation, and system integrity issues.

Key Events: 1102 (Audit Log Cleared), 4608 (Windows Starting), 4616 (System Time Changed)

Configuring Audit Policies

Windows provides multiple methods for configuring audit policies. For enterprise environments, Group Policy provides centralized management. For standalone systems or testing, Local Security Policy or auditpol.exe offer direct configuration options.

Method 1: Group Policy Configuration (Recommended)

Group Policy provides centralized audit policy management for domain-joined systems. Use this method for enterprise deployments where consistent policy enforcement across multiple systems is required.

  1. Open Group Policy Management Console (GPMC) by running gpmc.msc
  2. Create or edit a Group Policy Object (GPO) linked to the appropriate Organizational Unit (OU)
  3. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies
  4. Configure each audit subcategory based on your monitoring requirements:

    Recommended Minimum Configuration:

    • Logon/Logoff → Logon: Success and Failure
    • Logon/Logoff → Logoff: Success
    • Logon/Logoff → Special Logon: Success
    • Account Logon → Credential Validation: Success and Failure
    • Account Management → User Account Management: Success and Failure
    • Account Management → Security Group Management: Success
    • Detailed Tracking → Process Creation: Success
    • Policy Change → Audit Policy Change: Success and Failure
    • Privilege Use → Sensitive Privilege Use: Success and Failure
    • System → Security State Change: Success
    • System → Security System Extension: Success
  5. Enable command-line process auditing for full visibility:

    Computer Configuration → Administrative Templates → System → Audit Process Creation → Include command line in process creation events: Enabled

  6. Force policy update on target systems: gpupdate /force
  7. Verify policy application: auditpol /get /category:*

Method 2: Local Security Policy

For standalone systems, workgroup environments, or testing purposes, configure audit policies directly using Local Security Policy or the auditpol.exe command-line tool.

Using Local Security Policy GUI:

  1. Run secpol.msc as Administrator
  2. Navigate to Security Settings → Local Policies → Audit Policy (basic) or Advanced Audit Policy Configuration (recommended)
  3. Configure individual audit categories
  4. Close the console to apply changes

Using auditpol.exe (Command Line):

# View current audit policy

auditpol /get /category:*

# Enable logon auditing (success and failure)

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

# Enable process creation auditing

auditpol /set /subcategory:"Process Creation" /success:enable

# Backup current audit policy

auditpol /backup /file:C:\AuditPolicy_Backup.csv

# Restore audit policy from backup

auditpol /restore /file:C:\AuditPolicy_Backup.csv

Critical Events to Monitor

While hundreds of Security events exist, certain events provide the highest value for threat detection. Prioritize monitoring these events in your SIEM platform and detection rules.

Authentication Events

  • 4624: Successful logon - Track logon types, source IPs, and account names
  • 4625: Failed logon - Detect brute force, password spraying, credential stuffing
  • 4648: Explicit credential logon - Detect credential use for lateral movement
  • 4672: Special privileges assigned - Track administrative logons

Process & Execution

  • 4688: Process creation - Core event for malware and LOLBin detection
  • 4698: Scheduled task created - Persistence mechanism detection
  • 4697: Service installed - Track malicious service installation
  • 4657: Registry value modified - Persistence and configuration changes

Account Management

  • 4720: User account created - Backdoor account detection
  • 4732: Member added to local group - Privilege escalation
  • 4728: Member added to global group - Domain privilege changes
  • 4740: Account lockout - Brute force indicator

System & Defense Evasion

  • 1102: Security log cleared - Anti-forensics indicator
  • 4719: Audit policy changed - Logging manipulation
  • 4670: Permissions changed - File/object permission tampering
  • 4616: System time changed - Timestamp manipulation

Tip: For comprehensive threat detection, complement Windows Security events with Sysmon events. Sysmon provides additional visibility into network connections (Event 3), DNS queries (Event 22), process access (Event 10), and file creation (Event 11) that Windows Security logs do not capture. See our Sysmon Configuration Guide.

Advanced Audit Configuration

Beyond basic audit policy configuration, several advanced settings enhance security event logging capabilities.

PowerShell Script Block Logging

Script Block Logging records the content of PowerShell scripts as they execute, providing visibility into fileless malware and obfuscated attacks. This is essential for detecting modern attack techniques.

Group Policy Path:

Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → Turn on PowerShell Script Block Logging: Enabled

Additional Option:

Log script block invocation start/stop events: Enabled

PowerShell Module Logging

Module Logging records pipeline execution details and parameter values for specified modules. Enable for sensitive modules used in attacks.

Group Policy Path:

Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → Turn on Module Logging: Enabled

Module Names to Log:

Microsoft.PowerShell.*, Microsoft.WSMan.*, ActiveDirectory

Object Access Auditing with SACLs

Object Access auditing requires configuring System Access Control Lists (SACLs) on specific objects in addition to enabling the audit policy. This allows targeted monitoring of sensitive files, folders, and registry keys.

  1. Enable Object Access auditing in Group Policy (File System, Registry, etc.)
  2. Navigate to the target file, folder, or registry key
  3. Open Properties → Security → Advanced → Auditing tab
  4. Add auditing entries for specific principals (e.g., Everyone) and access types (Read, Write, Delete)
  5. Events will now be generated when the specified access occurs

Event Log Management

Proper event log management ensures logs are retained long enough for investigations and do not fill disk space unexpectedly. Default Windows log settings are insufficient for security monitoring.

Log Size Configuration

The default Security log size of 20 MB fills rapidly on busy systems, especially with comprehensive auditing enabled. Increase log sizes based on system criticality:

System TypeRecommended SizeRetention Policy
Domain Controllers4 GBArchive log when full, do not overwrite
Critical Servers1-2 GBArchive log when full
Member Servers512 MB - 1 GBOverwrite as needed
Workstations256-512 MBOverwrite as needed

Configuring Log Size via Group Policy

Group Policy Path:

Computer Configuration → Administrative Templates → Windows Components → Event Log Service → Security → Specify the maximum log file size (KB)

Example (1 GB):

Maximum Log Size: 1048576 KB

Centralized Log Collection

Local event logs are vulnerable to tampering by attackers who gain system access. Centralized log collection ensures events are preserved even if the source system is compromised. Multiple collection methods are available depending on your environment.

Windows Event Forwarding (WEF)

Native Windows capability that forwards events from source computers to a collector server using WinRM. No agent installation required. Ideal for Windows-only environments.

Components: Source computers (clients), Collector server (subscription host), WinRM service

SIEM Agent Collection

Deploy vendor-specific agents (Splunk Universal Forwarder, Microsoft Sentinel Agent, Elastic Agent) that collect and forward events to your SIEM platform. Provides the most reliable collection with buffering capabilities.

Advantages: Buffering during network outages, parsing at collection, filtering capabilities

Syslog Forwarding

Use third-party tools (NXLog, Snare) to convert Windows events to syslog format for collection by syslog-based SIEM platforms. Common in mixed Windows/Linux environments.

Note: Ensure UTC timestamps and proper field mapping during conversion

Security Consideration: Centralized log collection should be configured to forward events in near real-time. Batch forwarding creates gaps that attackers can exploit to clear local logs before events are collected.

Best Practices for Security Event Logging

1. Enable Command-Line Auditing

Process creation events (4688) without command-line content have limited security value. Always enable command-line auditing to capture the arguments passed to processes. This transforms Event 4688 from basic telemetry into a powerful detection data source.

2. Establish Baselines Before Alerting

Before deploying detection rules, document normal event patterns in your environment. Understand typical authentication patterns, service account behavior, administrative activity schedules, and process execution norms. This reduces false positives and improves alert quality.

3. Monitor High-Value Targets with Extra Scrutiny

Domain controllers, certificate authorities, privileged access workstations, and systems containing sensitive data warrant enhanced monitoring. Consider additional audit categories and lower alerting thresholds for these systems.

4. Alert on Log Clearing and Audit Policy Changes

Events 1102 (Security log cleared) and 4719 (Audit policy changed) indicate potential attacker activity or misconfiguration. Generate immediate alerts for these events and investigate promptly.

5. Correlate Events Across Multiple Systems

Individual events rarely tell the complete story. Correlate logon events with process execution, network connections, and file access across multiple systems to understand attack chains and detect lateral movement.

6. Retain Logs for Adequate Duration

Many regulations require 1-year log retention. Advanced persistent threats often operate undetected for months. Ensure your log retention policy supports both compliance requirements and incident investigation needs.

7. Implement Sysmon for Enhanced Visibility

Windows Security logs have gaps that Sysmon fills. Deploy Sysmon alongside Windows Security auditing to capture network connections, DNS queries, process access, and file creation events not available in native logging.

Troubleshooting Common Issues

Events Not Being Generated

  • Verify audit policy is applied: auditpol /get /category:*
  • Check for conflicting Group Policies: gpresult /h report.html
  • Ensure Advanced Audit Policy is not being overridden by basic Audit Policy
  • Verify the Windows Event Log service is running
  • For Object Access events, confirm SACLs are configured on target objects

Log Filling Too Quickly

  • Review audit policy for overly verbose settings (Object Access is commonly over-enabled)
  • Identify noisy events and assess necessity using: wevtutil qe Security /c:100 /f:text
  • Consider filtering events at collection if SIEM supports it
  • Increase log size or configure archival before increasing retention

Events Missing After System Restart

  • Verify log retention policy is not set to "Do not overwrite events" without sufficient size
  • Check Event Log service recovery options
  • Ensure centralized collection is forwarding events promptly
  • Investigate Event 1104 (Log full) occurrences

Official Resources

Microsoft provides comprehensive documentation for Windows Security event logging. Reference these resources for detailed Event ID descriptions, audit policy guidance, and implementation best practices.

Related Guides

Explore the Event Database

Now that you understand Windows Security event logging, explore our comprehensive database of 470+ events with MITRE ATT&CK mappings, detection strategies, and analyst guidance.