Top 5 Windows Security logs everyone should collect

It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component.

Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer. Each log entry is associated with a number called the Event ID. These logs carry a wide variety of information, ranging from authentication events to policy changes. NXLog provides the im_msvistalog module to collect logs from Windows Event Log, which can be easily configured to collect logs based on their Event ID.

Which security logs should you really be collecting?

which eventid

With thousands of events, it is essential to carefully consider and select the right ones for your security needs. To increase the signal-to-noise ratio of the Windows logs to be used for security monitoring, you need two things:

  • The critical information within the logs that can be used to identify events that are useful in intrusion detection or that can identify events commonly associated with other types of malicious activity.

  • A comprehensive logging solution that can not only filter specific events based on this critical set of information, but can also forward them, securely, to a remote SIEM or Analytics platform for further analysis and action.

It is impossible to collect all of the important security logs and guess your business needs in a short article, but at NXLog, our experience has shown that the following logs provide a good starting point for collecting a meaningful set of events worthy of analysis.

Authentication events

Authentication events need to be monitored, regardless of success or failure. In the case of a successful logon, a non-administrative account may unexpectedly have been assigned special privileges. Normally, this should raise a red flag that something is amiss. When all logon events in an organization are forwarded in real time to a centralized log collection host, brute force attacks, or even pass the hash attacks, can be quickly detected that might otherwise go unnoticed.

Event IDs to look out for: 4624, 4625, 4648, and 4672.

File access and object modification

These logs show attempts to access resources over a system. Whenever a user tries to access a file, an event is logged. Any suspicious modification of tasks or files might indicate that a malware has infected the system. If so, the consequences can be severe. Intruders could hold valuable, sensitive data ransom or they could use privilege escalation to gain administrator privileges and thus take control of the entire network.

Event IDs to look out for: 4660, 4663, 4670, and 5136.

Clearing the audit log

Since there is rarely ever a need to manually clear the Windows Security audit log, this can be a valuable indicator of suspicious activity. Hackers are keen on covering their tracks, so whenever the The audit log was cleared event cannot be accounted for, your security analysts should immediately investigate who or what triggered this event.

Event ID to look out for: 1102.

Changes to firewall settings

All changes to firewall policies are logged. Hackers attempt to change firewall rules to permit unwanted connections to unauthorized sites or use a special kind of cyberattack known as a man-in-the-middle attack which is a kind of network "wiretapping" technique to intercept confidential data sent between two endpoints. When successfully implemented, neither party will have any indication that their transmissions are being recorded.

Event IDs to look out for: 4946, 4947, 4948, 4950, and 5025.

System restart

This log provides information regarding when the system was shut down or restarted. If a system restarts unexpectedly, an event will be logged. This type of event should always be followed up by a security investigation since hackers may have initiated a restart in order to install and initiate malware, undetected, while the system was still restarting.

Event IDs to look out for: 4608 and 4616.

The value of security logs

Businesses should include log collection in their security audit policy to proactively ensure that security remains a core focus of their operations. With the ever-increasing number of cyberattacks, the Windows Security audit log continues to monitor what really needs protecting while providing security analysts with valuable information for tracking suspicious, as well as malicious activity.

Note
We could only share a small number of event IDs out of the many available so to find out more about other event IDs and the logs they generate see the ultimate windows security logs encyclopedia.

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.

Download a fully functional trial of the Enterprise Edition for free