Windows Event Log

General Information

Term	Definition
Event	Any action/occurrence that can be identified by the system
Event Logging	Centralized logging for the OS and applications
Windows Event Log	The service that does the above for Windows

The main event log categories are:

• System

• Security

• Application

• Setup (AD events are logged here on DCs)

• Forwarded (from other LAN hosts).

The main event log types are: Error -> Warning -> Information -> Success Audit (e.g. successful login) -> Failure Audit (e.g. failed login attempt). There are also 5 severity levels: Critical (1) -> Error (2) -> Warning (3) -> Information (4) -> Verbose (5).

AD Event List, Windows Security Log Events

The Windows Event log is handled by the EventLog services, which has the Windows Event Log display name and runs under svchost.exe. It starts automatically at system boot and has multiple dependencies. The logs are stored in c:\windows\system32\winevt\logs with the evtx extension.

Interaction

wevtutil

# Enumerating log sources (el -> enum logs)
wevtutil el
# Log-specific configuration information (gl -> get-log)
wevtutil gl <log-name>
# Log status information (gli -> get log info)
wevtutil gli <log-name>
# Querying the 5 most recent events (qe -> query-events)
wevtutil qe Security /c:5 /rd:true /f:text
# Exporting the log file (epl -> export-log)
wevtutil epl System c:\system_export.evtx

Get-WinEvent

# Listing all logs
Get-WinEvent -ListLog *
# Log-specific information
Get-WinEvent -ListLog <log-name>
# Querying the 5 most recent events
Get-WinEvent -LogName '<log-name>' -MaxEvents 5 | Select-Object -ExpandProperty Message
# Querying the 5 oldest events
Get-WinEvent -LogName '<log-name>' -MaxEvents 5 -Oldest | Select-Object -ExpandProperty Message
# Filtering events IDs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625'}
# Filtering based on severity
Get-WinEvent -FilterHashTable @{LogName='System';Level='1'} | Select-Object -ExpandProperty Message