Setting up Windows Event Log Reports

What is in this guide
Introduction
- Overview
- Release Notes
Setup the Product
- What's in this section
- System Requirements
- Prerequisites
- Install and Uninstall
- Start and Shutdown
- Connect to Server
- Backing up database
- Increasing Product Memory
- License Details
- Get Started
- Service Account Permission
Add Log Sources
- What's in this section
- Adding Windows Devices
- Adding Syslog Devices
- Adding CEF devices
- Adding Other Devices
- Adding IBM iseries(AS400) devices
- Adding VMware(Exsi) devices
- Adding vCenter
- Adding Application Sources
- Adding AWS EC2 Windows instance
- Configuring Syslog Service
User Interface
- Tabs
- Dashboard Views
- Customize Dashboard Views
- Log Receiver
- Global Search
EventLog Analyzer Reports
- Reports - Overview
- Configuring out-of-the-box reports
- Managing Predefined Reports
- Managing Report Views
- Create Custom Reports
- Schedule Reports
- Mark report as favourite
- Available Reports
Threat Intelligence Data Analytics
- Overview
- FireEye Threat Solutions
- Symantec Endpoint Solutions
- Symantec DLP Applications
- Malwarebytes Solutions
- CEF format
- Configuring McAfee solutions for analysis
Vulnerability Data Analytics
- Overview
- Vulnerability reports
Real-time Event Correlation
- Understanding Correlation
- Correlation Reports
- Last Ten Incidents Overview
- Activity Reports
- Creating Custom Correlation Rules
- Managing Correlation Rules
Compliance
- Compliance Reports
- Risk Posture
  - Overview
  - SQL Server
Search Logs
- Overview
- How to Search Logs
- How to Extract New Fields
- How to Tag Fields
Threat investigation
- Incident workbench
- Device Summary
Alerts
- Overview
- Create Alert Profile
- View Log Alerts
- Alert Notification & Remediation
- Ticketing Tools Integration
- Manage alert Profiles
- Bulk Deleting/Updating Alerts
Incident Management
- Create and assign workflow profiles
- Incident Workflow Management
Framework Integration
- MITRE ATT&CK TTP(S) Framework Integration
Configurations
- What's in this section
- Device Management
- Applications
- Database Audit
- File Integrity Monitoring
- Manage security applications
- Adding custom threat sources
- Advanced Threat Analytics
- Threat Whitelisting
- Threat Import
- Switching threat stores
- Manage Vulnerability Data
- Device Group Management
- VM Management
- Log Forwarder
- Manage Cloud Sources
Admin Settings
- Admin Settings
- Privacy Settings
- Agent Administration
  - Agent Administration
  - Agent Settings
- Archive
- Technicians and Roles
- Logon Settings
- Security hardening
- Reset Account Settings
- Domains and Workgroups
- Working Hour Settings
- Product Settings
- API Settings
  - API Settings
  - Get log sources
  - Get log fields
  - Get log types
  - Synchronous search
  - Asynchronous search
  - Jobs endpoint
  - Jobs Result endpoint
  - Get alert profiles
  - Synchronous alerts
  - Asynchronous alerts
- Retention Settings
- Log Collection Filter
- Log Collection Alerts
- Report Profiles
- Custom Log Parser
- Tags
- Profiles
- Database settings
  - Database auto backup
  - Database migration
System Settings
- System Settings
- Notification Settings
- Manage Account TFA
- Install EventLog Analyzer as a service
- Connection Settings
- Re-branding
- System Diagnostics
- Port Management
Help, Questions, and Tips
- Troubleshooting Tips
- Frequently Asked Questions
- EventLog Analyzer Help
Additional Utilities
- Additional Utilities
- Data Migration
- Working with HTTPS
- Configure MS SQL Database
- Migrate data from PostgreSQL to MS SQL database
- Migrate data from MySQL to MS SQL database
- Move Database to Different Directory in the Same Server
- Move Installation to Another Machine
- Configurations after changing the EventLog Analyzer server Hostname/IP address
- Move Installation to Different Directory in the Same Server
- Configuring NAT Settings
- Disk monitoring for search nodes
- SSL/TLS Settings for Elasticsearch
- Configuring DNS servers
Distributed Edition
- Introduction to Distributed Edition
- Prerequisites for converting EventLog Analyzer standalone to distributed edition
- Converting standalone installation to Admin Server
- Converting standalone installation to Managed Server
- Manage Server Settings
- Setting up auto upgrade
- Auto-upgrade guidelines
- Frequently Asked Questions
- Centralized log archival
Search Engine - Elasticsearch
- Data Upgrade
Technical Support
- Technical Support
- Create SIF offline
- Contact Support

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

EventLog Analyzer comes packaged with over 1,000 predefined reports that help organizations view consolidated security events, conduct security audits, and meet various compliance requirements. These reports help organizations visualize security events in their network and meet various security and compliance requirements.

In this help document, you will learn to set up Windows report generation.

Setting up Windows report generation

In EventLog Analyzer, most Windows reports get generated automatically when the device is added for monitoring and the event source is configured. To learn how to add a device, check out this page. To learn how to configure an event source, check out the How to configure event source files in a device? section in this page.

There are certain reports, mentioned in the table below, that will require manual creation of keys in your Windows Registry. To set up the generation of these reports, follow the steps given below.

Please make sure event logging has been enabled by right clicking on the event source > Properties > checking the Enable logging box, in Event Viewer.

Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Service > EventLog. Here, create the keys given in the New keys column of table below.

Next, open Local Group Policy Editor and navigate to Computer Configuration > Windows Setting > Security Setting. Further paths and steps to enable the generation of reports are given in the Audit policies column.

Reports	New keys	Audit policies	Other prerequisites
Application Whitelisting Reports	Microsoft-Windows-AppLocker/EXEandDLL Microsoft-Windows-AppLocker/MSI and Script	Enable AppLocker under Application Control Policies	Start the service Application Identity. On creation of the two new keys, a event source Microsoft-Windows-AppLocker/EXEandDLL will be created on the left panel of Event Viewer. Right click on the event source, click Properties, and copy the Log path. Then navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-AppLocker/EXE and DLL, and create an expandable string value with name File. Use the copied log path from the previous step as Value data. Configure the Executable rules, Windows Installer rules, and Script rules under the mentioned audit policies. Restart the machine.
Windows Firewall Auditing Reports	Microsoft-Windows-Windows Firewall With Advanced Security/Firewall	Enable Audit MPSSVC Rule - Level Policy change, under Advanced Audit Policy Configuration > Policy Change.	To Enable Windows Firewall logs, execute the below commands in the target device from where the logs are to be collected. Copy to Clipboard auditpol.exe /set /subcategory:"MPSSVC rule-level policy change,Filtering Platform policy change" /success:enable /failure:enable Copy to Clipboard auditpol.exe /set /subcategory:"IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode" /success:enable /failure:enable Copy to Clipboard auditpol.exe /set /subcategory:"IPsec Driver,Other system events" /success:enable /failure:enable Copy to Clipboard auditpol.exe /set /subcategory:"Filtering Platform packet drop,Filtering Platform packet drop" /success:enable /failure:enable
Removable Disk Auditing	Microsoft-Windows-DriverFrameworks-UserMode/Operational	Enable Audit Handle Manipulation, Audit Removable Storage and Audit File System (required for auditing delete operation in NT Version 6.2), under Advanced Audit Policy Configuration > Object Access.	To start logging removable storage events, navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage and add new DWORD registry key named as HotPlugSecureOpen and set value as 1.
Registry changes		Enable Audit Registry, under Advanced Audit Policy Configuration > Object Access.	Set SACL for the registry key by right-clicking on the required registry and navigating to Permission > Advance > Auditing in Registry Editor.
Windows Backup & Restore Reports	Microsoft-Windows-Backup	No modification required.
Windows System Events	Microsoft-Windows-GroupPolicy/Operational Microsoft-Windows-NetworkProfile/Operational Microsoft-Windows-WindowsUpdateClient/Operational Microsoft-Windows-Winlogon/Operational Microsoft-Windows-WLAN-AutoConfig/Operational Microsoft-Windows-TerminalServices-Gateway/Operational Microsoft-Windows-TerminalServices-RDPClient/Operational Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Microsoft-Windows-Wired-AutoConfig/Operational	No modification required.
Hyper-V Server Events Hyper-V VM Management Reports	Microsoft-Windows-Hyper-V-Worker-Admin Microsoft-Windows-Hyper-V-VMMS-Storage Microsoft-Windows-Hyper-V-VMMS-Networking Microsoft-Windows-Hyper-V-VMMS-Admin Microsoft-Windows-Hyper-V-Hypervisor-Operational Microsoft-Windows- Hyper-V-Config Microsoft-Windows-Hyper-V-High-Availability Microsoft-Windows-Hyper-V-Hypervisor Microsoft-Windows-Hyper-V-Integration Microsoft-Windows- Hyper-V-SynthFC Microsoft-Windows-Hyper-V-SynthNic Microsoft-Windows- Hyper-V-SynthStor Microsoft-Windows- Hyper-V-VID Microsoft-Windows- Hyper-V-VMMS	No modification required.
Program Inventory Reports	Microsoft-Windows-Application-Experience/Program-Inventory	No modification required.
IIS	Microsoft-IIS-Configuration/Operational	No modification required.	To access IIS reports, open EventLog Analyzer and navigate to Reports > IIS W3C web server > IIS Admin Configuration Reports.
Print service	Microsoft-Windows-PrintService/Operational Microsoft-Windows-PrintService/Admin	No modification required.
Terminal	Microsoft-Windows-TerminalServices-Gateway/Operational	No modification required.

EventLog Analyzer will now start generating the reports mentioned in the table.

Setting up Windows Event Log Reports

Setting up Windows report generation

Don't see what you're looking for?

Visit our community

Request additional resources

Need implementation assistance?