Nowadays any administrator or systems auditor wants to get all of the information about the events that may happen with X system. By default, none of this is configured on any windows distribution, however, the steps are simple.
This article it is based on Windows Server 2012 R2 operating system, (however the event viewer works on any Windows distribution, 7 /8 /8.1/10 etc.), referring to events, there are different types of events that generate different logs files that are sent to the event viewer for analysis with the following structure:
5. Forwarded events.
The previous screenshot shows an example of the event viewer, the tool that was implemented by Microsoft on it’s operating systems to monitor the entire system, each event, whether it is “Successful” or “Failed“, logon, log off, applications started, application failures, etc., it allows to obtain information more in-depth of the event in order to interpret the failure, as well as perform some troubleshooting tests based on the results.
How to enable the different types of events, based on two specifically “successful” event or “failure” ?
For this it is necessary to carry out the following steps:
> Type/Open “Local Security Policies”.
> Expand “Local Policies”.
> Select “Audit Policies”.
> Select in the window on the right the event that you wish to monitor with a double click and select its status, either: Successful or Failed.
> Click OK.
Once you have configured the events you want to monitor within the event viewer (see screenshot # 1 – Event Viewer) and after some minutes you can see more information of each event that you have just activated (successful / failed), also you can have some other applications or software configured to get that information for analysis, for example, ArcSight, Splunk, QRadar, etc.