Windows Server Event Viewer Logging GPO
What is Event Viewer?
Event Viewer is a utility program in Microsoft Windows that allows users to view detailed logs about various system and application events that occur on their computer. These events could include software installation or removal, system errors, warnings, and more.
Event Viewer is divided into three main sections: Windows Logs, Applications and Services Logs, and Subscriptions. Windows Logs include logs related to system events such as security, application, setup, and system. Applications and Services Logs include logs related to events generated by specific applications and services installed on the system. Subscriptions allow users to view logs on remote computers.
Event Viewer allows users to filter and search logs based on various criteria, such as the time of the event, the severity of the event, the source of the event, and more. This makes it easy to identify and troubleshoot issues with the system or applications.
Overall, Event Viewer is a powerful tool that can help users diagnose and resolve issues with their computer system.
Event Log consists of (5) sections.
SECTIONS:
- Server Roles: Logs such as info, warning of the roles installed on the server are in this section.
2.Windows Logs: In this section, there are event logs of Windows. It consists of 5 parts.
a: Application: The event log of the applications and programs installed and running on our server is kept here. For example, applications such as SQL, Excel
b:Security: Event logs of users' login/logout, resource usage, auditing settings are kept here.
c:Setup: Events related to application installations are kept here on our server.
d:System: Information about system events on the server is kept here.
e:Forwarded Events: Events belonging to remote computers are kept here.
3.Applications and Services Log: This is the section where events for applications and services running on the operating system are kept.
4.Microsoft: It is the section where event logs of other components serving in our operating system are kept.
5.Subscriptions: It allows us to store the events logs of one or more computers serving remotely on our own server.
After talking about Windows Event Log, if auditing policy is activated on the GPO, event log can be collected with policies such as Account logon, account management, logon events. If you want, you can create a new policy or activate it by editing the default policy. First of all, we come to "Computer configuration\Windows Settings\Security Settings\Local Policies\Audit Policy" screen through Group Policy management.
As seen above, there are (9) policies under Audit Policy;
Audit Account logon events;
Allows monitoring of users' sign-in events.
Audit Account Management;
It allows the management of the administrative operations performed on the users.
Audit Directory Service Access;
Monitors directory service access
Audit Logon Events;
Monitors user login events.
Audit Object Access;
It monitors users' access to objects.
Audit Policy Change;
It is used to control the changes made in the policy.
Audit Privilege Use;
When a user's rights are used, it is monitored.
Audit Process Tracking;
It provides monitoring of the audit process.
Audit System Events;
Controls all system events. Changing the system clock etc.
As an example, the successful or unsuccessful logon process of users will be done below.
Right click on Audit Logon Events and click properties on Audit Policy. Then let's choose Success and failure under Define the policy settings tab.
After completing the GPO operations, we open the Event Viewer screen. Go to Windows Logs > Security. Now we can see the logon and log off events instantly in the Visual.
Here are some Event IDs that might be important to us:
- 4624: Successful account login
- 4625: Failed account login
- 4634: An account has logged out
- 4648: Attempted to sign in with explicit credentials
- 4719: System audit policy changed
- 4720: A user account has been created
- 4722: A user account has been activated
- 4723: An attempt was made to change an account's password
- 4740: User Account locked
- 4767: User account unlocked
- 4964: A custom group is assigned to a new login
- 1102: Audit log cleared
Saygılarımla – Best Regards