none
Minimum Windows Event to Query for Review RRS feed

  • Question

  • Background:

    I have a small number of systems (Windows Server 2003 & 2008 and Windows 7) that I will be managing.  Part of my duties are to review the logs on all the systems on a weekly basis.

    Auditing has already been configured and is at least as thorough as anything I have looked up.  I have some basic scripts to query the Windows Event Logs and would like to modify them for this task.  I will likely write them to a CSV file for sorting/filtering in Excel.

    The logs are already backed up, so if something unusual or suspicious shows up, I can always go to the full logs for more details.

    Question:

    Which specific events, as a minimum, should I query for to conduct a review?


    WKCook

    Thursday, September 3, 2015 6:14 PM

Answers

  • Yeah.. I'm not sure you'll get that narrowed list right here.. but perhaps someone could share more links to other good resources or even 3rd-party tools that can help.  Basically, though, it all depends on your own situation and the applications or tasks that you want to drill down on; so it's going to be different for everybody.

    Sorry I can't personally give you more specific guidance than that. 

    Good luck!


    Kevin Remde US DX - IT Pro Evangelism - Microsoft Corporation http://aka.ms/FullofIT http://twitter.com/kevinremde


    • Edited by Kevin Remde Monday, September 14, 2015 10:57 AM
    • Proposed as answer by Kevin Remde Monday, September 14, 2015 10:57 AM
    • Marked as answer by Kevin Remde Monday, April 4, 2016 4:27 PM
    Monday, September 14, 2015 10:57 AM

All replies

  • This is one of those questions that can only be answered with the works, "It depends."  :) 

    It depends upon what events are the most useful or interesting or impactful to you.  Certainly watching for warnings or errors is important, but anything having to do with denied access based on security / failed authentication would also be useful to filter for.

    This search on Bing turned up some good articles on what to watch for in the security logs:

    https://www.bing.com/search?q=audit+for+security+review+windows+event+logs&FORM=EDGENN

    Hope you find this useful,


    Kevin Remde US DX - IT Pro Evangelism - Microsoft Corporation http://aka.ms/FullofIT http://twitter.com/kevinremde


    • Edited by Kevin Remde Tuesday, September 8, 2015 2:06 PM
    • Proposed as answer by Kevin Remde Tuesday, September 8, 2015 2:17 PM
    Tuesday, September 8, 2015 2:06 PM
  • Kevin,

    I guess, with all the admins that I suspect post here, I am hoping for more details.

    I have done a LOT of searching with Bing.  There is a lot of good information.  What I usually find are articles telling me how to save the log files, defining ALL the "important" events, etc.

    I am looking to narrow that down to the minimum event ID's from each log that would be indicators that further investigation is warranted.

    Thanks . . . WKCook


    WKCook

    Tuesday, September 8, 2015 2:28 PM
  • Yeah.. I'm not sure you'll get that narrowed list right here.. but perhaps someone could share more links to other good resources or even 3rd-party tools that can help.  Basically, though, it all depends on your own situation and the applications or tasks that you want to drill down on; so it's going to be different for everybody.

    Sorry I can't personally give you more specific guidance than that. 

    Good luck!


    Kevin Remde US DX - IT Pro Evangelism - Microsoft Corporation http://aka.ms/FullofIT http://twitter.com/kevinremde


    • Edited by Kevin Remde Monday, September 14, 2015 10:57 AM
    • Proposed as answer by Kevin Remde Monday, September 14, 2015 10:57 AM
    • Marked as answer by Kevin Remde Monday, April 4, 2016 4:27 PM
    Monday, September 14, 2015 10:57 AM