Event Viewer

------

Event Viewer

https://www.youtube.com/playlist?list=PLS9E34605Q8IoYghU-dHVedr1sG_pG40G

RUN- gpedit.msc - Computer Configuration - Windows Settings - Security Settings - Local Policies

- Audit Policy - Select all ( Success and Failure ) + Start - cmd - gpupdate /force --- Restart

+ Start - Event Viewer - Windows Logs - Security - Filter Current Log... - Check all Event level - All Event IDs : 4624 - OK

Windows  An attempt was made to reset an account's password

 Event ID 4724  &  4723 and 627

Event ID 4624 - Logged Into My Computer- 

Event ID 6008 - shutdown unexpected

Event ID 1074 - Operating system shutdown ( or Restart )

Event ID 5145 - Audit File Server running Windows Server ( Workgroup )

In the Filter Current Log dialog box, create a filter to only find password change events using the following criteria and click on OK.

• • Event IDs: 4723,4724,4740,4767

  • Task Category: User Account Management.

Find Audit Events with PowerShell

Get-WinEvent -ComputereName <YOUR DC> -LogName 'Security' -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13824 and (EventID=4723 or EventID=4724 or EventID=4740 or EventID=4767)]]"

Run->PowerShell

Get-WinEvent  -LogName 'Security' -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13824 and (EventID=4723 or EventID=4724 or EventID=4740 or EventID=4767)]]"

There are two main Event IDs in which to check, 680 and 627.  First, check the Event Viewer Security Log Event ID 680.  You will see associated with this Event ID the following "Logon attempt by:  "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0".

Run GPMC.msc (url2open.com/gpmc) → open "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:

Audit account management → Define → Success and Failure.

Run GPMC.msc → open "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → Define:

Maximum security log size to 1GB

Retention method for security log to Overwrite events as needed

Modify maximum Log size using Group Policy in Windows Server 2016

• Maximum log size (KB): value between 1024 (1 MB) and 4194240 (4Gb). It also must be a multiple of 64KB

1. Prepare

- DC21 : Domain Controller ( worldcm.net )

2. Step by step

- DC21 : Increase maximum Log size upto 102400 KB (default is 1024 KB) for servers belong "File Server" OU

  + Server Manager - Tools - Group Policy Management - worldcm.net - Right-click "File Server" OU

    - Create a GPO in this domain, and Link it here... - Name : Increase maximum Log size - OK

    - Right-click "Increase maximum Log size" - Edit... - Computer Configuration - Policies

    - Administrative Templates - Windows Components - Event Log Service :

       + Application - Specify the maximum log file size (KB) : Enable, Maximum Log Size (KB) : 102400 KB - OK

       + Security    - Specify the maximum log file size (KB) : Enable, Maximum Log Size (KB) : 102400 KB - OK

       + Setup       - Specify the maximum log file size (KB) : Enable, Maximum Log Size (KB) : 102400 KB - OK

       + System      - Specify the maximum log file size (KB) : Enable, Maximum Log Size (KB) : 102400 KB - OK

  + Start - cmd - gpupdate /force

  + Check Log Size :

    + Click File Explorer - This PC - C: drive - Windows - System32 - winevt - Logs

                                 --------------------X--------------

Configure the event log size and retention method

• 1. On a target server, navigate to Start → Windows Administrative Tools (Windows Server 2016 and higher) or Administrative Tools (Windows 2012) → Event Viewer.

  2. Navigate to Event Viewer tree → Windows Logs, right-click Security and select Properties.

  3. Make sure Enable logging is selected.

  4. In the Maximum log size field, specify the size you need.

  5. Make sure Do not overwrite events (Clear logs manually) is cleared. If selected, change the retention method to Overwrite events as needed (oldest events first).

  6. NOTE: Make sure the Maximum security log size group policy does not overwrite your log settings. To check this, start the Group Policy Management console, proceed to the GPO that affects your server, and navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Event Log.

     1. Repeat these steps for the following event logs:

        1. • Windows Logs → Application

           • Windows Logs → System

                                             -----------------X----------------

1. Log in to the computer using a user account with domain administrator privileges.

2. Open a command prompt, type gpmc.msc and press Enter to start the Group Policy Management Console.

3. Expand Forest > Domains > domainName > Domain Controllers.

4. Right-click Default Domain Controllers Policy, and then click Edit.

5. Expand Computer configuration > Policies > Windows Settings > Security Settings.

6. Select Event Log and configure Maximum security log size to a size of no less than 196608 KB.

7. Configure Retention method for security log to Overwrite events as needed.

8. Return to the command prompt, type gpUpdate, and then press Enter.

To verify this configuration and ensure Active Directory events are not discarded before processing:

1. Open a command prompt as an administrator.

2. At the command line, type eventvwr to start the Event Viewer.

3. In Windows logs, right-click Security, and select Properties.

4. Verify the settings reflect a maximum log size of no less than 196608 KB, and the selection to Overwrite events as needed.

Configure Windows logs with GPO

The GPO provides a way to manage settings in Computer Configuration ->Administrative Templates ->Windows Components ->Event log Service  [Application-security-Setup-System]  -  -> specify the maximum log size

----