Windows Logging Recommendations
Windows Event Log Recommendations By Log Source
| Category | Name | ID | Level | Event Log | Event Source |
1 | Boot Events | Shutdown Initiate Failed | 1074 | Warning | User32 | User32 |
2 | Application Crashes | BSOD | 1001 | Error | System | Microsoft-Windows-WER-SystemErrorReporting |
3 | Boot Events | Windows Shutdown | 13 | Information | System | Microsoft-Windows-Kernel-General |
4 | Boot Events | Windows Startup | 12 | Information | System | Microsoft-Windows-Kernel-General |
5 | Clearing Event Logs | Event Log was Cleared | 104 | Information | System | Microsoft-Windows-Eventlog |
6 | Group Policy Errors | Generic Internal Error | 1126 | Error | System | Microsoft-Windows-GroupPolicy |
7 | Group Policy Errors | Group Policy Application Failed due to Connectivity | 1129 | Error | System | Microsoft-Windows-GroupPolicy |
8 | Group Policy Errors | Internal Error | 1125 | Error | System | Microsoft-Windows-GroupPolicy |
9 | Kernel Driver Signing | Failed Kernel Driver Loading | 219 | Warning | System | Microsoft-Windows-Kernel-PnP |
10 | Software and Service Installation | New Kernel Filter Driver | 6 | Information | System | Microsoft-Windows-FilterManager |
11 | Software and Service Installation | New Windows Service | 7045 | Information | System | Microsoft-Windows-FilterManager |
12 | Software and Service Installation | Service Start Failure | 7000 | Error | System | Service Control Manager |
13 | Software and Service Installation | Windows Update Installed | 19 | Information | System | Microsoft-Windows-WindowsUpdateClient |
14 | System Integrity | System Time Changed | 1 | Information | System | Microsoft-Windows-Kernel-General |
15 | System or Service Failures | Windows Service Fails or Crashes | 7022, 7023, 7024, 7026, 7031, 7032, 7034 | Error | System | Service Control Manager |
16 | Software and Service Installation | Update Packages Installed | 2 | Information | Setup | Microsoft-Windows-Servicing |
17 | Windows Update Errors | Hotpatching Failed | 1009 | Information | Setup | Microsoft-Windows-Servicing |
18 | Account Usage | Account Lockouts | 4740 | Information | Security | Microsoft-Windows-Security-Auditing |
19 | Account Usage | Account Login with Explicit Credentials | 4648 | Information | Security | Microsoft-Windows-Security-Auditing |
20 | Account Usage | Account Name Changed | 4781 | Information | Security | Microsoft-Windows-Security-Auditing |
21 | Account Usage | Account removed from Local Sec. Grp. | 4733 | Information | Security | Microsoft-Windows-Security-Auditing |
22 | Account Usage | Credential Authentication | 4776 | Information | Security | Microsoft-Windows-Security-Auditing |
23 | Account Usage | Credentials backed up | 5376 | Information | Security | Microsoft-Windows-Security-Auditing |
24 | Account Usage | Credentials restored | 5377 | Information | Security | Microsoft-Windows-Security-Auditing |
25 | Account Usage | Failed User Account Login | 4625 | Information | Security | Microsoft-Windows-Security-Auditing |
26 | Account Usage | Logoff Event | 4634 | Information | Security | Microsoft-Windows-Security-Auditing |
27 | Account Usage | Logon with Special Privs | 4672 | Information | Security | Microsoft-Windows-Security-Auditing |
28 | Account Usage | New User Account Created | 4720 | Information | Security | Microsoft-Windows-Security-Auditing |
29 | Account Usage | New User Account Enabled | 4722 | Information | Security | Microsoft-Windows-Security-Auditing |
30 | Account Usage | Password Hash Accessed | 4782 | Information | Security | Microsoft-Windows-Security-Auditing |
31 | Account Usage | Password Policy Checking API called | 4793 | Information | Security | Microsoft-Windows-Security-Auditing |
32 | Account Usage | Security-enabled Group Created | 4731 | Information | Security | Microsoft-Windows-Security-Auditing |
33 | Account Usage | Security-Enabled group Modification | 4735 | Information | Security | Microsoft-Windows-Security-Auditing |
34 | Account Usage | SID History add attempted on Account | 4766 | Information | Security | Microsoft-Windows-Security-Auditing |
35 | Account Usage | SID History added to Account | 4765 | Information | Security | Microsoft-Windows-Security-Auditing |
36 | Account Usage | Successful User Account Login | 4624 | Information | Security | Microsoft-Windows-Security-Auditing |
37 | Account Usage | User Account Deleted | 4726 | Information | Security | Microsoft-Windows-Security-Auditing |
38 | Account Usage | User Account Disabled | 4725 | Information | Security | Microsoft-Windows-Security-Auditing |
39 | Account Usage | User Account Unlocked | 4767 | Information | Security | Microsoft-Windows-Security-Auditing |
40 | Account Usage | User Added to Privileged Group | 4728, 4732, 4756 | Information | Security | Microsoft-Windows-Security-Auditing |
41 | Account Usage | User Right Assigned | 4704 | Information | Security | Microsoft-Windows-Security-Auditing |
42 | Application Whitelisting | Process Created | 4688 | Information | Security | Microsoft-Windows-Security-Auditing |
43 | Application Whitelisting | Process Terminated | 4689 | Information | Security | Microsoft-Windows-Security-Auditing |
44 | Certificate Services | CA Services Request | 4886 | Information | Security | Microsoft-Windows-Security-Auditing |
45 | Certificate Services | Certificate Manager Settings Changed | 4890 | Information | Security | Microsoft-Windows-Security-Auditing |
46 | Certificate Services | Certificate Request Attributes Changed | 4874 | Information | Security | Microsoft-Windows-Security-Auditing |
47 | Certificate Services | Certificate Request Extension Changed | 4873 | Information | Security | Microsoft-Windows-Security-Auditing |
48 | Certificate Services | Certificate Revoked | 4870 | Information | Security | Microsoft-Windows-Security-Auditing |
49 | Certificate Services | Certificate Services approved request | 4887 | Information | Security | Microsoft-Windows-Security-Auditing |
50 | Certificate Services | Certificate Services Audit Filter Changed | 4885 | Information | Security | Microsoft-Windows-Security-Auditing |
51 | Certificate Services | Certificate Services Configuration Changed | 4891 | Information | Security | Microsoft-Windows-Security-Auditing |
52 | Certificate Services | Certificate Services denied request | 4888 | Information | Security | Microsoft-Windows-Security-Auditing |
53 | Certificate Services | Certificate Services Loaded Template | 4898 | Information | Security | Microsoft-Windows-Security-Auditing |
54 | Certificate Services | Certificate Services Permissions Changed | 4882 | Information | Security | Microsoft-Windows-Security-Auditing |
55 | Certificate Services | Certificate Services Property Changed | 4892 | Information | Security | Microsoft-Windows-Security-Auditing |
56 | Certificate Services | Certificate Services Started | 4880 | Information | Security | Microsoft-Windows-Security-Auditing |
57 | Certificate Services | Certificate Services Stopped | 4881 | Information | Security | Microsoft-Windows-Security-Auditing |
58 | Certificate Services | Certificate Services Template Security Updated | 4900 | Information | Security | Microsoft-Windows-Security-Auditing |
59 | Certificate Services | Certificate Services Template Updated | 4899 | Information | Security | Microsoft-Windows-Security-Auditing |
60 | Certificate Services | Entries Removed from Certificate Database | 4896 | Information | Security | Microsoft-Windows-Security-Auditing |
61 | Clearing Event Logs | Event Log Service Shutdown | 1100 | Information | Security | Microsoft-Windows-EventLog |
62 | Clearing Event Logs | Event Log was Cleared | 1102 | Information | Security | Microsoft-Windows-Eventlog |
63 | DNS/Directory Services | Directory service created | 5137 | Information | Security | Microsoft-Windows-Security-Auditing |
64 | DNS/Directory Services | Directory service deleted | 5141 | Information | Security | Microsoft-Windows-Security-Auditing |
65 | DNS/Directory Services | Directory service modified | 5136 | Information | Security | Microsoft-Windows-Security-Auditing |
66 | DNS/Directory Services | Directory service moved | 5139 | Information | Security | Microsoft-Windows-Security-Auditing |
67 | DNS/Directory Services | Directory service recovered | 5138 | Information | Security | Microsoft-Windows-Security-Auditing |
68 | Kernel Driver Signing | Detected an invalid image hash of a file | 5038 | Information | Security | Microsoft-Windows-Security-Auditing |
69 | Kernel Driver Signing | Detected an invalid page hash of an image file | 6281 | Information | Security | Microsoft-Windows-Security-Auditing |
70 | Network Policy | Encrypted Data Recovery Policy Changed | 4714 | Information | Security | Microsoft-Windows-Security-Auditing |
71 | Network Policy | Kerberos Policy Changed | 4713 | Information | Security | Microsoft-Windows-Security-Auditing |
72 | Network Policy | Kerberos Service Ticket Req. Failed | 4769 | Information | Security | Microsoft-Windows-Security-Auditing |
73 | Network Policy | Network Policy Server Denied Access | 6273 | Information | Security | Microsoft-Windows-Security-Auditing |
74 | Network Policy | Network Policy Server Discarded Accounting Request | 6275 | Information | Security | Microsoft-Windows-Security-Auditing |
75 | Network Policy | Network Policy Server Discarded Request | 6274 | Information | Security | Microsoft-Windows-Security-Auditing |
76 | Network Policy | Network Policy Server Granted Access | 6272 | Information | Security | Microsoft-Windows-Security-Auditing |
77 | Network Policy | Network Policy Server Granted Full Access | 6278 | Information | Security | Microsoft-Windows-Security-Auditing |
78 | Network Policy | Network Policy Server Granted Probationary Access | 6277 | Information | Security | Microsoft-Windows-Security-Auditing |
79 | Network Policy | Network Policy Server Locked Account | 6279 | Information | Security | Microsoft-Windows-Security-Auditing |
80 | Network Policy | Network Policy Server Quarantined User | 6276 | Information | Security | Microsoft-Windows-Security-Auditing |
81 | Network Policy | Network Policy Server Unlocked Account | 6280 | Information | Security | Microsoft-Windows-Security-Auditing |
82 | Network Policy | Network share accessed | 5140 | Information | Security | Microsoft-Windows-Security-Auditing |
83 | Network Policy | Network Share Checked | 5145 | Information | Security | Microsoft-Windows-Security-Auditing |
84 | Network Policy | Network Share Created | 5142 | Information | Security | Microsoft-Windows-Security-Auditing |
85 | Network Policy | Network Share Deleted | 5144 | Information | Security | Microsoft-Windows-Security-Auditing |
86 | Network Policy | New Trust for Domain | 4706 | Information | Security | Microsoft-Windows-Security-Auditing |
87 | Network Policy | Role Separation Enabled | 4897 | Information | Security | Microsoft-Windows-Security-Auditing |
88 | Network Policy | System Audit Policy Changed | 4719 | Information | Security | Microsoft-Windows-Security-Auditing |
89 | Network Policy | Trusted Domain Information Modified | 4716 | Information | Security | Microsoft-Windows-Security-Auditing |
90 | Network Policy | TS Session Disconnect | 4779 | Information | Security | Microsoft-Windows-Security-Auditing |
91 | Network Policy | TS Session Reconnect | 4778 | Information | Security | Microsoft-Windows-Security-Auditing |
92 | Network Policy | Wireless 802.1X Auth | 5632 | Information | Security | Microsoft-Windows-Security-Auditing |
93 | System Integrity | Registry Modification | 4657 | Information | Security | Microsoft-Windows-Security-Auditing |
94 | Network Policy | RADIUS User assigned IP | 20250 | Success | RemoteAccess | Microsoft-Windows-MPRMSG |
95 | Network Policy | RADIUS User Authenticated | 20274 | Success | RemoteAccess | Microsoft-Windows-MPRMSG |
96 | Network Policy | RADIUS User Disconnected | 20275 | Success | RemoteAccess | Microsoft-Windows-MPRMSG |
97 | PowerShell Activities | Get-MessageTrackingLog cmdlet | 800 | Information | Powershell | Microsoft-Windows-Powershell |
98 | PowerShell Activities | Remote Connection | 169 | Information | Powershell | Microsoft-Windows-Powershell |
99 | Mobile Device Activities | Disconnect from Wireless connection | 8003 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
100 | Mobile Device Activities | Starting a Wireless connection | 8000, 8011 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
101 | Mobile Device Activities | Successfully connected to a Wireless connection | 8001 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
102 | Mobile Device Activities | Wireless Association Status | 11000, 11001 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
103 | Mobile Device Activities | Wireless Association Status | 11002 | Error | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
104 | Mobile Device Activities | Wireless Authentication Started and Failed | 12011, 12012 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
105 | Mobile Device Activities | Wireless Authentication Started and Failed | 12013 | Error | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
106 | Mobile Device Activities | Wireless Connection Failed | 8002 | Error | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
107 | Mobile Device Activities | Wireless Security Started, Stopped, Successful, or Failed | 11004, 11005 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
108 | Mobile Device Activities | Wireless Security Started, Stopped, Successful, or Failed | 11010, 11006 | Error | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
109 | Windows Update Errors | Windows Update Failed | 20, 24, 25, 31, 34, 35 | Error | Microsoft-Windows-WindowsUpdateClient/Operational | Microsoft-Windows-WindowsUpdateClient |
110 | Windows Firewall | Firewall Failed to load Group Policy | 2009 | Error | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
111 | Windows Firewall | Firewall Rule Add | 2004 | Information | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
112 | Windows Firewall | Firewall Rule Change | 2005 | Information | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
113 | Windows Firewall | Firewall Rules Deleted | 2006, 2033 | Information | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
114 | Windows Defender Activities | Action on Malware Failed | 1008 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
115 | Windows Defender Activities | Detected Malware | 1006, 1116 | Warning | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
116 | Windows Defender Activities | Failed to remove item from quarantine | 1010 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
117 | Windows Defender Activities | Failed to update engine | 2003 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |