News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
July 15, 2021 windowssecurity

Top 5 Windows Security logs everyone should collect

By Tamás Burtics

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component.

Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer. Each log entry is associated with a number called the Event ID. These logs carry a wide variety of information, ranging from authentication events to policy changes. NXLog provides the im_msvistalog module to collect logs from Windows Event Log, which can be easily configured to collect logs based on their Event ID.

Which security logs should you really be collecting?

which eventid

With thousands of events, it is essential to carefully consider and select the right ones for your security needs. To increase the signal-to-noise ratio of the Windows logs to be used for security monitoring, you need two things:

  • The critical information within the logs that can be used to identify events that are useful in intrusion detection or that can identify events commonly associated with other types of malicious activity.

  • A comprehensive logging solution that can not only filter specific events based on this critical set of information, but can also forward them, securely, to a remote SIEM or Analytics platform for further analysis and action.

It is impossible to collect all of the important security logs and guess your business needs in a short article, but at NXLog, our experience has shown that the following logs provide a good starting point for collecting a meaningful set of events worthy of analysis.

Authentication events

Authentication events need to be monitored, regardless of success or failure. In the case of a successful logon, a non-administrative account may unexpectedly have been assigned special privileges. Normally, this should raise a red flag that something is amiss. When all logon events in an organization are forwarded in real time to a centralized log collection host, brute force attacks, or even pass the hash attacks, can be quickly detected that might otherwise go unnoticed.

Event IDs to look out for: 4624, 4625, 4648, and 4672.

File access and object modification

These logs show attempts to access resources over a system. Whenever a user tries to access a file, an event is logged. Any suspicious modification of tasks or files might indicate that a malware has infected the system. If so, the consequences can be severe. Intruders could hold valuable, sensitive data ransom or they could use privilege escalation to gain administrator privileges and thus take control of the entire network.

Event IDs to look out for: 4660, 4663, 4670, and 5136.

Clearing the audit log

Since there is rarely ever a need to manually clear the Windows Security audit log, this can be a valuable indicator of suspicious activity. Hackers are keen on covering their tracks, so whenever the The audit log was cleared event cannot be accounted for, your security analysts should immediately investigate who or what triggered this event.

Event ID to look out for: 1102.

Changes to firewall settings

All changes to firewall policies are logged. Hackers attempt to change firewall rules to permit unwanted connections to unauthorized sites or use a special kind of cyberattack known as a man-in-the-middle attack which is a kind of network "wiretapping" technique to intercept confidential data sent between two endpoints. When successfully implemented, neither party will have any indication that their transmissions are being recorded.

Event IDs to look out for: 4946, 4947, 4948, 4950, and 5025.

System restart

This log provides information regarding when the system was shut down or restarted. If a system restarts unexpectedly, an event will be logged. This type of event should always be followed up by a security investigation since hackers may have initiated a restart in order to install and initiate malware, undetected, while the system was still restarting.

Event IDs to look out for: 4608 and 4616.

The value of security logs

Businesses should include log collection in their security audit policy to proactively ensure that security remains a core focus of their operations. With the ever-increasing number of cyberattacks, the Windows Security audit log continues to monitor what really needs protecting while providing security analysts with valuable information for tracking suspicious, as well as malicious activity.

Note
We could only share a small number of event IDs out of the many available so to find out more about other event IDs and the logs they generate see the ultimate windows security logs encyclopedia.
GET STARTED TODAY:

| Learn more about NXLog Enterprise Edition | Learn more about NXLog Manager | Free Trial | Get Pricing |

  • windows logs
  • security logs
  • windows
  • log collection
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Top 5 security concerns revealed with DNS logging
3 minutes | July 1, 2021
DNS Log Collection on Windows
8 minutes | May 28, 2020
Making the most of Windows Event Forwarding for centralized log collection
6 minutes | December 17, 2018

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us