Why do I need to configure the Windows event log audit policy and how do I make sure that I capture the correct events?
*The Splunk Product Best Practices team provided this response. Read more about [How
The Windows default event log configuration may not generate log data for the events you need. Therefore, it's a best practice to review the Recommended Audit Policies by Operating System on the Microsoft website and make the required changes for your deployment.
If you're new to collecting Windows endpoint event log data with the Splunk platform, then review Monitor Windows event log data in the Getting Data In manual and What are the best practices for installing Splunk on Windows endpoints?
Changing your Windows event log audit policy impacts the event log traffic. If you need to change the audit policy, use the Group Policy feature or the configuration management tools of your choice. To see an example of using the group policy objects (GPO), see the Step-By-Step: Enabling Advanced Security Audit Policy via DS Access blog post on the Microsoft | TelNet website.
See How do I collect basic Windows OS Event Log data from my Windows systems? for best practices for collecting Windows end point log data with the Splunk platform.
Change the default settings to the baseline or stronger audit policy settings to meet the needs of your deployment. Configure non-standard logging to meet your security use case requirements. For example, if
your corporate policy prohibits using a USB or external devices, then enable the Audit Removable Storage. For example, see Monitor the use of removable storage devices on the Microsoft website.
Consider testing the changes before adding them to your production environment. To test the changes, view the event logs to ensure the required messages display or review the related Microsoft documentation to find a procedure to verify your changes.
*The Splunk Product Best Practices team provided this response. Read more about [How
The Windows default event log configuration may not generate log data for the events you need. Therefore, it's a best practice to review the Recommended Audit Policies by Operating System on the Microsoft website and make the required changes for your deployment.
If you're new to collecting Windows endpoint event log data with the Splunk platform, then review Monitor Windows event log data in the Getting Data In manual and What are the best practices for installing Splunk on Windows endpoints?
Changing your Windows event log audit policy impacts the event log traffic. If you need to change the audit policy, use the Group Policy feature or the configuration management tools of your choice. To see an example of using the group policy objects (GPO), see the Step-By-Step: Enabling Advanced Security Audit Policy via DS Access blog post on the Microsoft | TelNet website.
See How do I collect basic Windows OS Event Log data from my Windows systems? for best practices for collecting Windows end point log data with the Splunk platform.
Change the default settings to the baseline or stronger audit policy settings to meet the needs of your deployment. Configure non-standard logging to meet your security use case requirements. For example, if
your corporate policy prohibits using a USB or external devices, then enable the Audit Removable Storage. For example, see Monitor the use of removable storage devices on the Microsoft website.
Consider testing the changes before adding them to your production environment. To test the changes, view the event logs to ensure the required messages display or review the related Microsoft documentation to find a procedure to verify your changes.