How to audit windows 10 application logs
The Audit feature in Windows 10 is a useful carryover from prior Windows versions. It allows Windows 10 users and administrators to view security events in an audit log for the purpose of tracking, system and security events.
This primer article will detail what the Windows application log is and where it is viewed. In addition, we will explore the importance of logging and auditing, how to enable auditing on your Windows 10 system, and how to view the security event log.
What is the Windows application log?
Windows has given users and administrators ongoing access to logs to better understand system and security events. The application log is used to record events written by applications and services. These applications may be proprietary/commercial applications (including SQL Server) and applications developed by your organization.
Events that can be logged include a whole host of application events, from application startup events to run-time error events. Support specialists may request access to your application log to help them assess an application issue.
Where can you find the application log?
Microsoft has carried over Event Viewer to Windows 10. To easily access Event Viewer, type “Event” into the Windows 10 Cortana search bar, then click on “Event Viewer” when it appears in your search results. After Event Viewer opens, select “Windows Logs” from the console tree on the left-hand side, then double-click on “Application” in the console tree. Your Windows 10 application log will appear.
The application log will record certain information about application events. This information includes:
- Log name
- Source
- Event ID
- Level
- User
- The time that the event was logged
What events does it typically record? Here is a list of typically recorded events:
- Applications starting
- Application exceptions
- SQL logs
- Major application events including restarts, stopping and other security events
- Select debugging information
This information can then be used by auditors, information security professionals and support specialists to further investigate application events on your Windows 10 system.
The importance of logging and auditing
Logging and auditing work symbiotically as access control, ensuring only authorized activities occur. They play a pivotal role in identifying, preventing and stopping unwanted activities and provide an audit trail that can be used in investigations.
Logging is perishable (logs can be deleted, modified and so on), but auditing is considered a more permanent method of recording and storing events.
How to audit Windows 10 application logs
These are the steps to audit your application log on a Windows 10 system.
Enable auditing
The first step to auditing is to enable the auditing feature in Windows 10. To enable this, enter “CMD” in the Cortana search bar. Right-click on the Command Prompt option when it pops up and select Run as Administrator (which will require administrator credentials). Once the CMD prompt pops up, run the following command: Auditpol /set /Category:System /failure:enable. Then restart your system so this change will take effect.
Set audit policy
The next step is to set the audit policy to frame for what your auditing will capture. Pull up the Local Group Policy Editor and fire up your CMD prompt again. Once it is up, type gpedit.msc and click on OK.
Navigate to Audit Policy, which can be found at Computer Configuration ➝ Windows Settings ➝ Security Settings ➝ Local Policies ➝ Audit Policy. At this point you will be presented with the audit configurations which you use to set audit parameters. Double-click on them on the right side of the Local Group Policy Editor. You can set these items to be audited upon success or failure.
How to view the security event log
With the Windows 10 auditing feature enabled and your audit policy set, you can start looking at recorded events. To find the security event log, open Event Viewer. With Event Viewer open, expand the console tree and click “Security.”
Please note: Without your Auditing feature properly enabled and audit policy set, this log will be blank.
Conclusion
Application log audits are a valuable source of information for events concerning various Windows 10 applications, including the all-powerful SQL Server. While Windows 10 has a useful Audit feature, it needs to be properly enabled with the appropriate audit policy set before you can use this feature in audits, investigations and the like.
If concerning application events are occurring or if you suspect they may be, auditing Windows 10 application logs should help diagnose the issue.
Sources
- View the security event log, Microsoft
- How to check if someone logged into your Windows 10 PC, Windows Central
- Logging and Monitoring Best Practices, Solarwinds MSP
- What is the Purpose of the Application Event Log?, Tips.Net
In this Series
- How to audit windows 10 application logs
- Comparing Linux+ and RHCSA/RHCE operating system security certifications
- Android security: Everything you need to know [Updated 2021]
- Application sideloading in Windows 10
- Web Browser Security in Windows 10
- How to use Local Group Policy to secure Windows 10
- How to use Microsoft DirectAccess
- How to protect a Windows 10 host against malware
- CA Installation and Use in Windows 10
- Certificates overview and use in Windows 10
- How to Use Windows 10 Action Center and Security & Maintenance App for Hardening
- Data Security in Windows 10: NTFS Permissions (Standard)
- 6 windows event log IDs to monitor now
- How to audit Windows 10 security logs
- How to audit Windows 10 system logs
- App isolation in Windows 10
- Windows Supported wireless encryption types
- How to use Assigned Access in Windows 10
- How to configure password policies in Windows 10
- Data execution prevention (DEP) in Windows 10
- How to use Windows 10 quick recovery options
- How to use Disk Quotas in Windows 10
- Data Security in Windows 10
- How to use AppLocker in Windows 10
- How to configure internet options for local group policy
- How to configure Windows 10 firewall
- Windows 10 security features
- How To Use Microsoft Edge Security Features
- How to use BitLocker in Windows 10 (with or without TPM)
- Encrypted file system (EFS) in windows 10
- Share permissions in Windows 10
- Understanding Windows Services
- Windows 10 Auditing Features
- How to use Protected Folders in Windows 10
- How to configure VPN in Windows 10
- How to configure UAC in Windows 10
- Domain vs workgroup accounts in Windows 10
- Bluetooth security in Windows 10
- Single Sign-On in Windows 10
- Connecting to secure wireless networks in Windows 10
- MAC filtering in Windows 10
- Admin vs non-admin accounts in Windows 10
- Types of user accounts in Windows 10 (local, domain, Microsoft)
- How to use Windows Recovery Environment
- How to use Windows Backup and Restore Utility
- How to use Microsoft passport in Windows 10
- Driver Security in Windows 10
- How to use Credential Manager in Windows 10
- How to configure Picture Passwords and PINs in Windows 10
- How to use credential guard in Windows 10
- Application Management in Windows 10
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Operating system security
Comparing Linux+ and RHCSA/RHCE operating system security certifications
Operating system security
Android security: Everything you need to know [Updated 2021]
Operating system security
Operating system security