Windows keeps a system log that is a record of events that take place on the computer. Examples of such events include:
Device driver problems
Logins and logouts
Service startups and shutdowns
Creation of, and changes of, user accounts
These events and more are kept in the event log and are viewable with the Event Viewer. But before I talk about that, let's go into more detail on auditing, which also results in event log entries.
Auditing gives you the ability to watch certain types of events even more closely.
Microsoft uses the terms "events" and "audit" in the same context. Audit log entries and event log entries are the same thing.
Follow these steps to turn on auditing:
Go to Control Panel → System and Maintenance → Administrative Tools.
Double-click 'Local Security Policy.' The 'Local Security Policy' window appears, as in Figure 15.
Figure 15. The 'Local Security Policy' window is the path to many security policy functions including auditing
Open Local Policies → Audit Policies. Click 'Audit Policies.' The window should now appear like Figure 16.
Figure 16. Viewing and setting Audit Policies
Double-click the Audit Policy you wish to change. For instance, you may wish to turn on auditing for privilege use. ...