Windows Event Log Collection
Logpoint collects (event) logs from Windows sources through event channels. These event channels may require you to install, configure and/or enable Windows-based settings in order to collect logs. To help you effectively plan and setup your Windows event log collection, it’s important to understand the event channels Logpoint uses, their details and what you need to do.
To take full advantage of Logpoint’s analytics you should use all event channels. You may need to enable or configure an event channel, depending on which channel it is. In addition to describing what you need to do for each channel, we are also listing the events according to their event ID, whose logs Logpoint monitors.
Event Channel Configuration
When you need to configure an event channel’s settings you use Windows Audit Policies. They provide granular control over which event logs Logpoint collects. Windows Audit Policies are implemented through Windows Advanced Policy settings, not Basic Policy settings. It’s important that you plan and define your Audit Policies before you start using Logpoint Converged SIEM for Windows logs.
The settings described here are general guidelines for Windows logs and Logpoint Converged SIEM. Your organization may have specific requirements not covered here. These settings are also not guidelines for purposes or platforms other than Logpoint.
Windows Audit Policy – Additional Resources
Windows Log Collection Setup
Logpoint
In addition to Event Channel management, you also need:
Install Windows
Windows must be installed to facilitate log collection.
See: https://docs.logpoint.com/docs/windows/en/latest/Installation.html
Configure Sysmon
Sysmon must be configured. Sysmon ensures Logpoint alerts for Windows work correctly.
For more information, see Sysmon documentation: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Configure NxLog
NxLog should be configured. NxLog generates logs in JSON format as Logpoint only supports JSON logs for Windows.
For more information, see NxLog documentation: https://docs.nxlog.co/userguide/integrate/logpoint.html
See Logpoint NxLog configuration: https://docs.logpoint.com/docs/windows/en/latest/Configurationofsources.html#nxlog-sample-configuration
Event Channels Overview
Main Windows Admin
Application
All related to system applications management
System
Critical software and hardware events
Security
Successful login Failed Login Changes to System Files
Configure Audit Policies Enable process creation with command line auditing
Sysmon
Sysmon/Operational
Process creations, network connections, changes to file creation time
Install & Configure
Scheduled task
Security
Enable & Configure Audit Policy
PowerShell
Windows PowerShell Microsoft-Windows-PowerShell/Operational
Enable
Microsoft Defender
Microsoft-Windows-Windows Defender/Operational
Enabled by default
Applocker
Microsoft-Windows-AppLocker/MSI and Script, Microsoft-Windows-AppLocker/EXE and DLL, Microsoft-Windows-AppLocker/Packaged app-Deployment, Microsoft-Windows-AppLocker/Packaged app-Execution
Enable
Application Channel
The logs from Application Channel events depend on which specific applications are installed in your environment.
Before you get started, Administration users need to enable SQL Server auditing.
For Windows Installer Event Logging: https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
For Windows Installer best practices and verbose logging: https://learn.microsoft.com/en-us/windows/win32/msi/windows-installer-best-practices
1022
MsiInstaller
Product update installed successfully.
1033
MsiInstaller
Windows Installer installed the product.
1034
MsiInstaller
Windows Installer removed the product.
1040
MsiInstaller
Beginning a Windows installer transaction.
1042
MsiInstaller
Ending a Windows installer transaction.
11724
MsiInstaller
An application has been successfully uninstalled.
216
ESENT
A database location change was detected.
325
ESENT
The database engine created a new database.
326
ESENT
The database engine attached a database.
327
ESENT
The database engine detached a database.
524
Microsoft-Windows-Backup
The System Catalog has been deleted.
1
Microsoft-Windows-Audit-CVE
An attempt to exploit a known vulnerability is detected.
15457, 33205
MSSQLSERVER1
Microsoft SQL Server audit event.
1000
Application Error
An application has crashed.
1001
Windows Error Reporting
An application has crashed.
1002
Application Hang
An application is not responding.
System Channel
Collects system events including system startup, shutdown and security to help you troubleshoot and monitor Windows. Logs can be viewed using the Windows Event Viewer.
Some event types require strict monitoring.
104
Microsoft-Windows-Eventlog
The System log file was cleared.
7000
Service Control Manager
The service failed to start due to the following error.
7025
Service Control Manager
At least one service or driver failed during system startup.
7040
Service Control Manager
The start type of a service was changed.
7036
Service Control Manager
The service entered the running/stopped state.
7045
Service Control Manager
A service was installed in the system.
16
Microsoft-Windows-WindowsUpdateClient
Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule.
20
Microsoft-Windows-WindowsUpdateClient
Windows failed to install the update with error.
24
Microsoft-Windows-WindowsUpdateClient
Windows failed to uninstall the update with error.
1000, 1001
Microsoft-Windows-WER-SystemErrorReporting
Blue Screen of Death (BSOD).
Security Channel
Collects security events including successful or failed user logons, changes to system files, privilege use and system access attempts. Logs can be viewed using the Windows Event Viewer. The log entries are organized by event type and include detailed information about the event, such as the time it occurred, the user account associated with the event, and whether the event was successful or failed.
The Security Channel is enabled by default. Security Channel logs require Audit Policy setting configuration. Logpoint recommendations are detailed in the tables and sections below.
1102
The audit log was cleared.
4624
An account was successfully logged on.
4625
An account failed to log on.
4634
An account was logged off.
4647
User initiated logoff.
4648
A logon was attempted using explicit credentials.
4663
An attempt was made to access an object.
4672
Special privileges assigned to new logon.
4688
A new process has been created.
4719
System audit policy was changed.
4720
A user account was created.
4722
A user account was enabled.
4723
An attempt was made to change an account’s password.
4724
An attempt was made to reset an accounts password.
4725
A user account was disabled.
4726
A user account was deleted.
4728
A member was added to a security-enabled global group.
4729
A member was removed from a security-enabled global group.
4732
A member was added to a security-enabled local group.
4733
A member was removed from a security-enabled local group.
4735
A security-enabled local group was changed.
4737
A security-enabled global group was changed.
4755
A security-enabled universal group was changed.
4756
A user was added to a privileged universal group
4738
A user account was changed.
4740
A user account was locked out.
4741
A computer account was created.
4742
A computer account was changed.
4743
A computer account was deleted.
4767
A user account was unlocked.
4771
Kerberos pre-authentication failed.
4768
A Kerberos authentication ticket (TGT) was requested.
4769
A Kerberos service ticket was requested.
4772
A Kerberos authentication ticket request failed.
4777
The domain controller failed to validate the credentials of an account.
4616
The system time was changed.
4657
A registry value was modified.
4697
A service was installed in the system.
4946
A rule has been added to Windows Firewall exception list.
4947
A rule has been changed in Windows Firewall exception list.
4950
A Windows Firewall setting has changed.
4954
Windows Firewall Group Policy settings has changed.
4964
Special groups have been assigned to a new logon.
5025
The Windows Firewall service has been stopped.
5140
A network share object was accessed.
5145
A network share object was checked to see whether client can be granted desired access.
Audit Policy Configuration (overview)
Plan which logs you want to monitor before configuring Audit Policies for the Security Channel.
For Windows 7 and later you can use Group Policy for Advanced Audit Policies. For more information: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies
Categories are divided into subcategories. You don’t need to monitor all of a category’s subcategories. Select only those subcategories relevant to your security goals.
Account Logon
Credential Validation
Domain Controller, Member Server, Workstation
Success, Failure
4774, 4775, 4776, 4777
Account Logon
Kerberos Authentication Service
Domain Controller
Success, Failure
4768, 4771, 4772
Account Logon
Kerberos Service Ticket Operations
Domain Controller
Success, Failure
4769, 4770, 4773
Account Management
Computer Account Management
Domain Controller
Success, Failure
4741, 4742, 4743
Account Management
Distribution Group Management
Domain Controller
Success, Failure
4749, 4750, 4751, 4752, 4753
Account Management
Other Account Management Events
Domain Controller
Success, Failure
4782, 4793
Account Management
Security Group Management
Domain Controller, Member Server, Workstation
Success, Failure
4731, 4732, 4733, 4734, 4735, 4764, 4799
Account Management
User Account Management
Domain Controller, Member Server, Workstation
Success, Failure
4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 4798, 5376, 5377
Detailed Tracking
DPAPI Activity
Domain Controller, Member Server, Workstation
Success, Failure
4692, 4693, 4694, 4695
Detailed Tracking
PNP Activity
Domain Controller, Member Server, Workstation
Success, Failure
6416, 6419, 6420, 6421, 6422, 6423, 6424
Detailed Tracking
Process Creation
Domain Controller, Member Server, Workstation
Success, Failure
4688, 4696
Detailed Tracking
Process Termination
Domain Controller, Member Server, Workstation
Success, Failure
4689
DS Access
Detailed Directory Service Replication
Domain Controller
Success, Failure
4928, 4929, 4930, 4931, 4934, 4935, 4936, 4937
DS Access
Directory Service Access
Domain Controller
Success, Failure
4661, 4662
DS Access
Directory Service Changes
Domain Controller
Success, Failure
5136, 5137, 5138, 5139, 5141
DS Access
Directory Service Replication
Domain Controller
Success, Failure
4932, 4933
Logon/Logoff
Account Lockout
Domain Controller, Member Server, Workstation
Failure
4625
Logon/Logoff
User/Device Claims
Domain Controller, Member Server, Workstation
Success, Failure
4626
Logon/Logoff
Group Membership
Domain Controller, Member Server, Workstation
Success, Failure
4627
Logon/Logoff
Logoff
Domain Controller, Member Server, Workstation
Success, Failure
4634, 4647
Logon/Logoff
Logon
Domain Controller, Member Server, Workstation
Success, Failure
4624, 4625, 4648, 4675
Logon/Logoff
Other Logon/Logoff Events
Domain Controller, Member Server, Workstation
Success, Failure
4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633
Logon/Logoff
Special Logon
Domain Controller, Member Server, Workstation
Success, Failure
4964, 4672
Object Access
Detailed File Share
Domain Controller, Member Server, Workstation
Success, Failure (for DC only)
5145
Object Access
File Share
Domain Controller, Member Server, Workstation
Success, Failure
5140, 5142, 5143, 5144, 5168
Object Access
File System
Domain Controller, Member Server, Workstation
Success, Failure
4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670
Object Access
Other Object Access Events
Domain Controller, Member Server, Workstation
Success, Failure
4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890
Object Access
Registry
Domain Controller, Member Server, Workstation
Success, Failure
4663, 4656, 4658, 4660, 4657, 5039, 4670
Object Access
Removable Storage
Domain Controller, Member Server, Workstation
Success, Failure
4656, 4658, 4663
Policy Change
Audit Policy Change
Domain Controller, Member Server, Workstation
Success, Failure
4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905
Policy Change
Authentication Policy Change
Domain Controller, Member Server, Workstation
Success, Failure
4670, 4706, 4707, 4716, 4713, 4717, 4718, 4739, 4864, 4865, 4866, 4867
Policy Change
MPSSVC Rule-Level Policy Change
Domain Controller, Member Server, Workstation
Success, Failure
4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958
Policy Change
Other Policy Change Events
Domain Controller, Member Server, Workstation
Success, Failure
4714, 4819, 4826, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144, 6145
Privilege Use
Non-Sensitive Privilege Use
Domain Controller, Member Server
Failure
4673, 4674, 4985
Privilege Use
Sensitive Privilege Use
Domain Controller, Member Server, Workstation
Success, Failure
4673, 4674, 4985
System
Other System Events
Domain Controller, Member Server, Workstation
Success, Failure
5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409
System
Security State Change
Domain Controller, Member Server, Workstation
Success, Failure
4608, 4616, 4621
System
Security System Extension
Domain Controller, Member Server, Workstation
Success, Failure
4610, 4611, 4614, 4622, 4697
System
System Integrity
Domain Controller, Member Server, Workstation
Success, Failure
4612, 4615, 4618, 4816, 5038, 5056, 5062, 5057, 5060, 5061, 6281, 6410
Sysmon Channel
Collects process creation, network connection, and changes to file creation time events. Its capabilities depend on correct installation and configuration.
Sysmon events are stored:
On Vista and higher: Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
Older versions: System event log
Sysmon is a third-party app and does not provide analysis of the events it generates, nor does it attempt to protect or hide from attackers.
To configure Sysmon in Logpoint, see Sysmon and Alerts
Overview article: https://www.logpoint.com/en/blog/augment-your-windows-and-edr-telemetry-with-sysmon/
Sysmon Events
1
Process Create
2
File creation time
3
Network connection detected
4
Sysmon service state change
5
Process terminated
6
Driver Loaded
7
Image loaded
8
CreateRemoteThread detected
9
RawAccessRead detected
10
Process accessed
11
File created
12
Registry object added or deleted
13
Registry value set
14
Registry object renamed
15
File stream created
16
Sysmon configuration change (cannot be filtered)
17
Named pipe created
18
Named pipe connected
19
WMI filter
20
WMI consumer
21
WMI consumer filter
22
DNS query
Scheduled Task
Scheduled task is covered separately even though it is part of the Security Channel.
Scheduled Task logs any data regarding a scheduled task in local files, event logs, or remote servers. It collects:
time the event was generated
unique identifier for the event
event severity (error, warning, or informational)
event message
name of the computer where the event occurred
name of the file involved
name of the executed task
information about the process that executed the task
task start time
task stop time
task status including successful, and failed
user who triggered the task
Additionally, the log may include information about triggers that caused the task to start (specific date/time or specific event).
We recommend monitoring all scheduled task creation events, especially on critical systems. Malware often uses scheduled tasks to maintain persistence.
If the Task Content: XML contains the Password value for a new task, it triggers an alert because the account password used to run the scheduled task is saved in Credential Manager in cleartext and can be extracted by an Administrator.
4698
Security
A scheduled task was created.
4699
Security
A scheduled task was deleted.
4700
Security
A scheduled task was enabled.
4701
Security
A scheduled task was disabled.
4702
Security
A scheduled task was updated.
Audit Policy Configuration (Scheduled Tasks)
Domain Controller, Member Server, Workstation
Success
Allows monitoring operations with scheduled tasks, COM+ objects and indirect object access requests. Success auditing is recommended for scheduled tasks events.
PowerShell
Collects detailed operation events including starting/stopping the PowerShell engine, provider, and script block.
When Script Block Logging and Module Logging are enabled, PowerShell logs events to the PowerShellCore/Operational log.
PowerShell generates a high volume of events. When Script Block logging is enabled, the entire command entered is part of the log.
PowerShell Core for Windows (version 6+) requires registering the event provider before events can be written to the event log.
Channels:
Microsoft-Windows-PowerShell/Operational
Windows PowerShell
PowerShellCore/Operational (PowerShell Core version 6+)
400
Windows PowerShell
PowerShell command is executed, default logging
500
Windows PowerShell
PowerShell is initialized, default logging
501
Windows PowerShell
PowerShell command has finished executing, default logging
800
Windows Powershell
Pipeline Execution Details
4103
Module Logging
needs to be enabled
4104
ScriptBlock Logging
needs to be enabled
AppLocker
AppLocker logs contain information about applications affected by AppLocker rules.
Each event records:
Which file is affected and its path
Which packaged app is affected and the package identifier
Whether the file or app is allowed or blocked
The rule type (path, file hash, or publisher)
The rule name
The security identifier (SID) for the user or group in the rule
Useful resource: https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-application-control
Channels:
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker/Packaged app-Deployment
Microsoft-Windows-AppLocker/Packaged app-Execution
8001
Information
The AppLocker policy was applied successfully to this computer.
8003
Warning
was allowed to run but would have been prevented if the AppLocker policy was enforced.
8004
Error
was not allowed to run.
8006
Warning
was allowed to run but would have been prevented if the AppLocker policy was enforced.
8007
Error
was not allowed to run.
8008
Error
AppLocker disabled on the SKU.
8022
Information
Packaged app disabled.
8025
Warning
Packaged app installation disabled.
8028
Warning
application was allowed to run but would have been prevented if the Config CI policy was enforced.
8029
Error
application was prevented from running due to Config CI policy.
More: https://learn.microsoft.com/
Microsoft Defender
Microsoft Defender Antivirus records Event IDs in the Windows event log. (Do not confuse with Microsoft Defender for Endpoint — they differ in the amount of data collected.)
This category forwards configuration changes, update issues, ASR signals, and malware detections. The defender event channel is enabled by default.
Channel: Microsoft-Windows-Windows Defender/Operational
1005
An antimalware scan failed.
1009
The antimalware platform restored an item from quarantine.
1015
The antimalware platform detected suspicious behavior.
1116
The antimalware platform detected malware or other potentially unwanted software.
1117
The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
1118
The antimalware platform attempted an action to protect your system from malware or other potentially unwanted software, but the action failed.
1119
The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. See event message for details.
1121
Event when ASR rule fires in Block-mode
1122
Event when ASR rule fires in Audit-mode
5007
Event when settings are changed
5000
Real-time protection is enabled.
5001
Real-time protection is disabled.
5010
Scanning for malware and other potentially unwanted software is disabled.
5012
Scanning for viruses is disabled.
Complete list: https://learn.microsoft.com/
Recommended Windows Audit Policy
Logpoint Alerts Mapping
A shortlist of Windows alerts that use the Windows event channels, their mapping to MITRE ATT&CK, event channels, and triggering event IDs. Use this to verify your configurations.
(Note: Large table of 519+ alerts was included in the source. The full table has been preserved as presented and should be referenced within your documentation system for alert-to-event mappings.)
We do our best to ensure that the content we provide is complete, accurate and up to date. Logpoint makes no representations or warranties of any kind, express or implied about the documentation. We update it on a best-effort basis.
Last updated
Was this helpful?