The essentials of Windows event log monitoring

Security audit events

Track successful and failed login events to get insights into potential security breaches or unauthorized access attempts. They are crucial for identifying both legitimate user activities and potential security threats.

• 4624: Successful account logon event. This can indicate when a user or system account logs on to the system.
• 4625: Failed account logon event. Monitoring this can help identify unauthorized access attempts.
• 4648: A logon was attempted using explicit credentials. Indicates when a user attempts to log on with another user's credentials.

With EventLog Analyzer's powerful search console you can monitor these event IDs instantly with a simple query.

Account management events

Track the creation, modification, or deletion of user accounts and group memberships. Monitoring these events helps ensure that only authorized users have access to sensitive information and systems.

• 4720: A user account was created. This can signal the addition of new users to the system.
• 4728: A member was added to a security-enabled global group. Useful for tracking changes in group memberships that could affect security.
• 4740: A user account was locked out. Monitoring this helps in identifying potential brute-force attack attempts.

You can create custom alerts for specific Event IDs in EventLog Analyzer, and you'll be notified instantly via Email or SMS.

System events

Track unexpected system shutdowns and restarts for diagnosing system failures. Monitoring these event IDs ensures that the system operates as expected.

• 6008: Unexpected shutdown. This can indicate that the system was not shutdown properly, possibly due to a power failure or system crash.
• 1074: System shutdown or restart. This event provides details about who initiated a shutdown or restart and why, which is crucial for auditing system changes.

Apart from the 750+ pre-defined reports, EventLog Analyzer also allows you to create a custom report for monitoring specific Event IDs.

Policy change events

Track domain policy and system audit policy changes. Monitoring these event IDs are vital to maintain the security posture of the system and ensuring that policy changes do not introduce vulnerabilities.

• 4739: Domain policy was changed. Monitoring this event ID is vital in an Active Directory environment to track changes to security policies.
• 4719: System audit policy was changed. Indicates changes to audit policies, which could affect how events are logged.

EventLog Analyzer has out-of-the-box correlations reports to notify you about important events in your network. The correlation rule below will notify you about multiple changes in system audit policies.

For more details on what event IDs to monitor, check out Microsoft's appendix on Events to monitor.

Auto-discovery

1

 

Auto discover log sources

Identify all Windows log sources in your domain and start collecting Windows event logs easily with EventLog Analyzer's auto discover option. The feature detects Windows workstations, firewalls, IIS servers, and SQL servers automatically. Simply select the critical sources and automate log file management to fortify your network.

In-depth log analysis

1

 

40+ predefined correlation reports

2

 

Create custom correlation rule

Utilize EventLog Analyzer's powerful correlation engine to gain comprehensive insights by making sense of log data from all the log sources present in the network. The Windows log monitoring tool contains over 40 pre-built correlation rules to detect the most common cyberattacks like SQL injection, DoS, and brute-force. You also have the option to build custom rules to detect more complex patterns.

Threat hunting

1

 

Perform in-depth analysis

2

 

Visualize critical data

3

 

Drill down to get key insights

Conduct root cause analysis for any security event in your network in minutes. EventLog Analyzer monitors Windows activity in real-time, allowing you to search through raw event logs and pinpoint the exact log entry that caused a security incident. The solution makes it easy for you to find mission-critical information about the detected incident, including the severity level, time, location, and the user who initiated the event. This helps you take the required countermeasures within a short timeframe to speed up incident resolution.

Detailed reports

1

 

Compliance reporting made easy

2

 

750+ out-of-the-box reports

3

 

Export reports

4

 

Add to incident with a single click

Generate detailed reports based on event logs from Windows servers and workstations. EventLog Analyzer contains numerous Windows-specific report templates for security events like failed logons, account lockouts, and security log tampering. The solution also contains compliance-ready report templates for regulatory mandates like PCI DSS, SOX, HIPAA, the GDPR, and FISMA. You can also build custom reports to meet internal audit policies.

Instant alerts

1

 

Create your own alert profile

2

 

Get notified instantly

3

 

Focus on the details

4

 

Stop threats in their tracks Run pre-defined workflows to stop an on-going threat

Detect security events happening in your network instantly and expedite the troubleshooting process. You can configure EventLog Analyzer to send real-time alerts to manage incidents based on logs generated with a specific log type, event ID, log message, or severity. It also supports integration with help desk software, so tickets can be raised automatically in your help desk software.