Skip to content

Add Windows security audit event documentation to README #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
HakanL wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Windows security audit event documentation to README #12

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 91 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,94 @@ This substantially modifies the client to a service that looks for successful in
Events are ingested into Seq with useful properties that allow for easy searching.

```
[AppName] New login detected on {MachineName} - {TargetDomainName}\{TargetUserName} at {EventTime}
```

Properties included with each event:

| Property | Description |
|---|---|
| EventId | Windows Security Event ID (e.g. 4624) |
| EventTime | Timestamp of the event |
| Source | Event provider name |
| EventLogName | Name of the event log (Security) |
| EventRecordID | Unique record ID in the event log |
| SubjectUserName | Account that initiated the logon session |
| SubjectDomainName | Domain of the account that initiated the session |
| TargetUserName | Account that was logged on |
| TargetDomainName | Domain of the account that was logged on |
| LogonType | Type of logon (2 = Interactive, 10 = RemoteInteractive) |
| LogonProcessName | The process that performed the logon |
| AuthenticationPackageName | Authentication package used |
| WorkstationName | Machine the logon was requested from |
| IpAddress | IP address of the client machine |
| IpPort | Port used by the client machine |

## Enabling Windows Security Audit Events

Windows does not enable all the relevant security audit events by default. The following audit policies must be enabled so that the Windows Security event log generates the events that this service monitors.

### Events Monitored

| Event ID | Description |
|---|---|
| 4624 | An account was successfully logged on |
| 4625 | An account failed to log on |
| 4634 | An account was logged off |
| 4647 | User initiated logoff |

These events are generated by the **Logon/Logoff** audit policy category.

### Standalone Servers

On a standalone server (not domain-joined), use Local Security Policy or `auditpol.exe` to configure audit policy.

#### Using Local Security Policy (GUI)

1. Open **Local Security Policy** (`secpol.msc`).
2. Navigate to **Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff**.
3. Double-click **Audit Logon** and enable **Success** and **Failure**.
4. Double-click **Audit Logoff** and enable **Success**.
5. Close Local Security Policy. Changes take effect immediately.

#### Using auditpol.exe (Command Line)

Run the following commands in an elevated command prompt:

```cmd
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
```

To verify the settings:

```cmd
auditpol /get /subcategory:"Logon"
auditpol /get /subcategory:"Logoff"
```

### Domain Servers

On domain-joined servers, use Group Policy to configure audit policy centrally across all servers.

#### Using Group Policy Management Console (GPMC)

1. Open **Group Policy Management** (`gpmc.msc`) on a domain controller or a machine with RSAT installed.
2. Create a new GPO or edit an existing GPO linked to the Organizational Unit (OU) containing your servers.
3. Navigate to **Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff**.
4. Double-click **Audit Logon**, check **Configure the following audit events**, and enable **Success** and **Failure**.
5. Double-click **Audit Logoff**, check **Configure the following audit events**, and enable **Success**.
6. Close the Group Policy editor and run `gpupdate /force` on each server, or wait for Group Policy to refresh automatically (typically within 90 minutes).

#### Verifying Policy on Domain Servers

After Group Policy has been applied, verify the effective audit policy on a server using an elevated command prompt:

```cmd
auditpol /get /subcategory:"Logon"
auditpol /get /subcategory:"Logoff"
```

Both subcategories should show the expected **Success** and/or **Failure** settings.

> **Note:** If you are using the legacy basic audit policy (Security Settings > Local Policies > Audit Policy) instead of the advanced audit policy, enable **Audit logon events** for **Success** and **Failure**. However, Microsoft recommends using the Advanced Audit Policy Configuration for more granular control.