Technical Guidance for Windows Event Logging

Download ASD Protect: Technical Guidance for Windows Event Logging (PDF), July 2017
First published July 2017

Introduction

A common theme identified by the Australian Cyber Security Centre (ACSC) while performing investigations on networks is that organisations have insufficient visibility of activity occurring on their workstations and servers. Good visibility of what is happening on an organisation's Microsoft Windows hosts is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to incidents.

This document has been developed by the Australian Signals Directorate (ASD) as a guide to the set-up and configuration of Windows event logging and forwarding. This advice has been developed to support both the detection and investigation of malicious activity – including targeted cyber intrusions – by providing an ideal balance between the collection of important events and managing data volumes. This advice is also designed to complement existing host-based intrusion detection and prevention systems.

This document is intended for information technology and information security professionals.

Table of contents

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).