Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Windows Event Logging and Forwarding

First published 2017; Latest version April 2019


A common theme identified by the Australian Cyber Security Centre (ACSC) while performing investigations is that organisations have insufficient visibility of activity occurring on their workstations and servers. Good visibility of what is happening in an organisation’s environment is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to them.

This document has been developed as a guide to the setup and configuration of Windows event logging and forwarding. This advice has been developed to support both the detection and investigation of malicious activity by providing an ideal balance between the collection of important events and management of data volumes. This advice is also designed to complement existing host-based intrusion detection and prevention systems.

This document is intended for information technology and information security professionals. It covers the types of events which can be generated and an assessment of their relative value, centralised collection of event logs, the retention of event logs, and recommended Group Policy settings along with implementation notes.

This document does not contain detailed information about analysing event logs.

Accompanying this document is the ACSC's Windows event logging repository. The repository contains configuration files and scripts to implement the recommendations in this document. All files and folders referred to in this document are available from this repository.

Table of contents

  • Introduction
  • Considerations
  • Event log retention
  • Event categories
  • Event category configuration
    • Sysmon
    • Account lockout
    • Account modifications
    • Event collection
    • Account logon
    • Process tracking
    • AppLocker
    • Enhanced Mitigation Experience Toolkit
    • Services
    • Windows Defender
    • Windows Error Reporting
    • Code integrity
    • File shares
    • Scheduled tasks
    • Windows Management Instrumentation auditing
    • NTLM authentication
    • Object access auditing
    • PowerShell logging
  • Event forwarding
    • Scalability
    • Client configuration
    • Server configuration
      • Setting forwarded log size
      • Adding subscriptions
      • Verification and debugging
      • Archiving
  • Further information
  • Contact details

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).

April 30th, 2019