Setting up Windows Event Log Reports

What is in this guide
Introduction
- Overview
- Release Notes
Setup the Product
- What’s in this section
- System Requirements
- Prerequisites
- Install and Uninstall
- Start and Shutdown
- Connect to Server
- Backing up database
- License Details
- Get Started
Add Log Sources
- What’s in this section
- Adding Windows Devices
- Adding Syslog Devices
- Adding CEF devices
- Adding Other Devices
- Adding IBM iseries(AS400) devices
- Adding VMware(Exsi) devices
- Adding vCenter
- Adding Application Sources
- Adding AWS EC2 Windows instance
Configuring, and enabling logging/auditing in sources
- Enabling Microsoft Windows Firewall logging
- Enabling Hyper V logging
- Enabling IBM iSeries audit logs
- Enabling Stackato Logging
- Configuring McAfee solutions for analysis
- Configuring External Applications
- Configuring Scaler NSS
Configuring Syslog Service
- On a UNIX device
- On a Mac OS device
- On a HP-UX/Solaris/AIX device
- On a VMware
- On Arista Switches
- On Cisco Switches
- On HP Switches
- On Cisco devices
- On Cisco Firepower devices
- On Sonicwall devices
- On Juniper devices
- On PaloAlto devices
- On Fortinet devices
- On CheckPoint devices
- On NetScreen devices
- On Watchguard devices
- On Sophos devices
- On Cyberoam devices
- On Barracuda devices
- On Barracuda Web Application Firewall
- On Barracuda Email Security Gateway
- On Huawei Firewall devices
- On Malwarebytes devices
- On Meraki devices
- On FireEye devices
- On pfSense devices
- On Symantec DLP devices
- On Symantec Endpoint Protection devices
- On H3C devices
- On StormShield devices
- On F5 devices
- On Trend Micro - Deep Security
- On Forcepoint devices
- On Dell devices
User Interface
- Tabs
- Dashboard Views
- Customize Dashboard Views
EventLog Analyzer Reports
- Reports - Overview
- Configuring out-of-the-box reports
- Managing Predefined Reports
- Managing Report Views
- Create Custom Reports
- Schedule Reports
- Mark report as favourite
- Available Reports
Threat Intelligence Data Analytics
- Overview
- FireEye Threat Solutions
- Symantec Endpoint Solutions
- Symantec DLP Applications
- Malwarebytes Solutions
- CEF format
Vulnerability Data Analytics
- Overview
- Vulnerability reports
Real-time Event Correlation
- Understanding Correlation
- Correlation Reports
- Last Ten Incidents Overview
- Activity Reports
- Creating Custom Correlation Rules
- Managing Correlation Rules
Compliance Reports
- Configuring, editing, and scheduling compliance reports
Search Logs
- Overview
- How to Search Logs
- How to Extract New Fields
- How to Tag Fields
Alerts
- Overview
- Create Alert Profile
- View Log Alerts
- Alert Notification & Remediation
- Ticketing Tools Integration
- Manage alert Profiles
Incident Management
- Create and assign workflow profiles
- Incident Workflow Management
Framework Integration
- MITRE ATT&CK TTP(S) Framework Integration
Configurations
- What’s in this section
- Device Management
- Manage Applications
- File Integrity Monitoring
- Manage Threat Source
- Adding custom threat sources
- Advanced Threat Analytics
- Threat Whitelisting
- Manage Vulnerability Data
- Device Group Management
- Manage vCenter
- Log Forwarder
Admin Settings
- Admin Settings
- Privacy Settings
- Agent Administration
- Archive
- Technicians and Roles
- Logon Settings
- Domains and Workgroups
- Working Hour Settings
- Product Settings
- DB Retention Settings
- Log Collection Filter
- Log Collection Alerts
- Report Profiles
- Resource Grouping
- Custom Log Parser
- Tags
- Dashboard Profiles
System Settings
- System Settings
- Notification Settings
- Manage Account TFA
- NT Service
- Connection Settings
- Re-branding
- Server Diagnostics
- Database Access
- Reset Log Collector
- Log Level Settings
- Port Management
Help, Questions, and Tips
- Troubleshooting Tips
- Frequently Asked Questions
- EventLog Analyzer Help
Additional Utilities
- Additional Utilities
- Working with HTTPS
- Configure MS SQL Database
- Migrate data from PostgreSQL to MS SQL database
- Migrate data from MySQL to MS SQL database
- Move Database to Different Directory in the Same Server
- Move Installation to Another Machine
- Log360 Cloud Configurations
Distributed Edition
- Introduction to Distributed Edition
- Converting standalone installation to Admin Server
- Converting standalone installation to Managed Server
- Frequently Asked Questions
Technical Support
- Technical Support
- Create SIF offline
- Contact Support

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Reports	New keys	Audit policies	Other prerequisites
Application Whitelisting Reports	Microsoft-Windows-AppLocker/EXEandDLL Microsoft-Windows-AppLocker/MSI and Script	Enable AppLocker under Application Control Policies	Start the service Application Identity. On creation of the two new keys, a event source Microsoft-Windows-AppLocker/EXEandDLL will be created on the left panel. Right click on the event source, click Properties, and copy the Log path. Then navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-AppLocker/EXE and DLL, and create an expandable string value with name File. Use the copied log path from the previous step as Value data. Configure the Executable rules, Windows Installer rules, and Script rules under the mentioned audit policies. Restart the machine.
Windows Firewall Auditing Reports	Microsoft-Windows-Windows Firewall With Advanced Security/Firewall	Enable Audit MPSSVC Rule - Level Policy change, under Advanced Audit Policy Configuration > Policy Change.
Removable Disk Auditing	Microsoft-Windows-DriverFrameworks-UserMode/Operational	Enable Audit Handle Manipulation and Audit Removable Storage, under Advanced Audit Policy Configuration > Object Access.	Set SACL for the removable disk by right-clicking on the required folder and navigating to Property > Security tab > Advanced > Auditing.
Registry changes		Enable Audit Registry, under Advanced Audit Policy Configuration > Object Access.	Set SACL for the registry key by right-clicking on the required registry and navigating to Permission > Advance > Auditing in Registry Editor.
Windows Backup & Restore Reports	Microsoft-Windows-Backup	No modification required.
Windows System Events	Microsoft-Windows-GroupPolicy/Operational Microsoft-Windows-NetworkProfile/Operational Microsoft-Windows-WindowsUpdateClient/Operational Microsoft-Windows-Winlogon/Operational Microsoft-Windows-WLAN-AutoConfig/Operational Microsoft-Windows-TerminalServices-Gateway/Operational Microsoft-Windows-TerminalServices-RDPClient/Operational Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Microsoft-Windows-Wired-AutoConfig/Operational	No modification required.
Hyper-V Server Events Hyper-V VM Management Reports	Microsoft-Windows-Hyper-V-Worker-Admin Microsoft-Windows-Hyper-V-VMMS-Storage Microsoft-Windows-Hyper-V-VMMS-Networking Microsoft-Windows-Hyper-V-VMMS-Admin Microsoft-Windows-Hyper-V-Hypervisor-Operational	No modification required.
Program Inventory Reports	Microsoft-Windows-Application-Experience/Program-Inventory	No modification required.
IIS	Microsoft-IIS-Configuration/Operational	No modification required.	To access IIS reports, open EventLog Analyzer and navigate to Reports > IIS W3C web server > IIS Admin Configuration Reports.
Print service	Microsoft-Windows-PrintService/Operational, Microsoft-Windows-PrintService/Admin	No modification required.
Terminal	Microsoft-Windows-TerminalServices-Gateway/Operational	No modification required.

Help Document

Setting up Windows Event Log Reports

Setting up Windows report generation