Click here to expand

    Setting up Windows Event Log Reports

    EventLog Analyzer comes packaged with over 1,000 predefined reports that help organizations view consolidated security events, conduct security audits, and meet various compliance requirements. These reports help organizations visualize security events in their network and meet various security and compliance requirements.

    In this help document, you will learn to set up Windows report generation.

    Setting up Windows report generation

    In EventLog Analyzer, most Windows reports get generated automatically when the device is added for monitoring and the event source is configured. To learn how to add a device, check out this page. To learn how to configure an event source, check out the How to configure event source files in a device? section in this page.

    There are certain reports, mentioned in the table below, that will require manual creation of keys in your Windows Registry. To set up the generation of these reports, follow the steps given below.

    • Please make sure event logging has been enabled by right clicking on the event source > Properties > checking the Enable logging box, in Event Viewer.
    • Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Service > EventLog. Here, create the keys given in the New keys column of table below.
    • Next, open Local Group Policy Editor and navigate to Computer Configuration > Windows Setting > Security Setting. Further paths and steps to enable the generation of reports are given in the Audit policies column.
    Reports New keys Audit policies Other prerequisites
    Application Whitelisting Reports Microsoft-Windows-AppLocker/EXEandDLL Microsoft-Windows-AppLocker/MSI and Script Enable AppLocker under Application Control Policies
    • Start the service Application Identity.
    • On creation of the two new keys, a event source Microsoft-Windows-AppLocker/EXEandDLL will be created on the left panel. Right click on the event source, click Properties, and copy the Log path.
    • Then navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-AppLocker/EXE and DLL, and create an expandable string value with name File. Use the copied log path from the previous step as Value data.
    • Configure the Executable rules, Windows Installer rules, and Script rules under the mentioned audit policies.
    • Restart the machine.
    Windows Firewall Auditing Reports Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Enable Audit MPSSVC Rule - Level Policy change, under Advanced Audit Policy Configuration > Policy Change.  
    Removable Disk Auditing Microsoft-Windows-DriverFrameworks-UserMode/Operational Enable Audit Handle Manipulation and Audit Removable Storage, under Advanced Audit Policy Configuration > Object Access. Set SACL for the removable disk by right-clicking on the required folder and navigating to Property > Security tab > Advanced > Auditing.
    Registry changes   Enable Audit Registry, under Advanced Audit Policy Configuration > Object Access. Set SACL for the registry key by right-clicking on the required registry and navigating to Permission > Advance > Auditing in Registry Editor.
    Windows Backup & Restore Reports Microsoft-Windows-Backup No modification required.  
    Windows System Events Microsoft-Windows-GroupPolicy/Operational Microsoft-Windows-NetworkProfile/Operational Microsoft-Windows-WindowsUpdateClient/Operational Microsoft-Windows-Winlogon/Operational Microsoft-Windows-WLAN-AutoConfig/Operational Microsoft-Windows-TerminalServices-Gateway/Operational Microsoft-Windows-TerminalServices-RDPClient/Operational Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Microsoft-Windows-Wired-AutoConfig/Operational No modification required.  
    Hyper-V Server Events Hyper-V VM Management Reports Microsoft-Windows-Hyper-V-Worker-Admin Microsoft-Windows-Hyper-V-VMMS-Storage Microsoft-Windows-Hyper-V-VMMS-Networking Microsoft-Windows-Hyper-V-VMMS-Admin Microsoft-Windows-Hyper-V-Hypervisor-Operational No modification required.  
    Program Inventory Reports Microsoft-Windows-Application-Experience/Program-Inventory No modification required.  
    IIS Microsoft-IIS-Configuration/Operational No modification required. To access IIS reports, open EventLog Analyzer and navigate to Reports > IIS W3C web server > IIS Admin Configuration Reports.
    Print service Microsoft-Windows-PrintService/Operational, Microsoft-Windows-PrintService/Admin No modification required.  
    Terminal Microsoft-Windows-TerminalServices-Gateway/Operational No modification required.  

    EventLog Analyzer will now start generating the reports mentioned in the table.

    Get download link