CHAPTER 8Event Log Analysis
Microsoft Windows provides detailed auditing capabilities that have improved with each new operating system version. The event logging service can generate a vast amount of information about account logons, file and system access, changes to system configurations, process tracking, and much more. These logs can be stored locally, or they can leverage Window's Event Forwarding (WEF) store event logs on a remote Windows system. Microsoft provides access to event log data through the built‐in Event Viewer application and through PowerShell cmdlets that allow for queries leveraging PowerShell Remoting across the network. Event logs can also be centralized to a third‐party security information and event management (SIEM) solution for aggregation and analysis. With proper tuning and log retention, event logs can be an extremely powerful tool for incident responders.
Understanding Event Logs
An event is an observable activity that occurs on the system. The Windows event logging service can record five different types of event record: Error, Warning, Information, Success Audit, and Failure Audit. All of these have a defined set of data that is recorded for each event, as well as additional, event‐specific details that may be recorded depending on the type of event. Each event can be recorded in an event log record. Event log records are written to event log files by event log sources (programs capable of writing to the event logs). Modern Windows systems ...
Get Applied Incident Response now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.