GithubLinkedin

Event Log

Category:

  • Application Logs: Events related to the installed applications are stored here.

  • Security Logs: Events related to Sessions logon/logoff, RDP successful/failed connections, services installed, tasks created, etc. are stored here.

  • System Logs: Events related to hardware states, drivers, etc. are stored here.

  • Setup: The setup log contains events that occur during the installation of the Windows operating system. On domain controllers, this log will also record events related to Active Directory.

  • Forwarded Events: Contains event logs forwarded from other computers in the same network.

🔐 Location: %SystemRoot%\System32\winevt\

Level:

  • Information: This event type means that an operation was successfully completed and a general description of it is recorded.

  • Warning: This event type means that there is some kind of minor problem that may cause bigger issues in future events.

  • Error: This type of event means that a problem occurred causing a loss of functionality.

  • Critical: Indicates a significant issue in an application or a system needing urgent attention.

  • Verbose: Indicates progress or success messages for a particular event.

Keyword:

  • Audit Success: This event type means that successful security access was attempted.

  • Audit Failure: This type of event means that a failed security access was attempted.

Tool:

  • Event Viewer

  • Wevtuti

  • Get-WinEvent

  • EvtxECmd

Other logs

  • %SystemRoot%\System32\Dns\Dns.log

  • %SystemRoot%\System32\dhcp\DhcpSrv.log

This knowledge has been compiled from resources provided by LetsDefend.

PreviousPersistenceNextSysmon

Last updated