Operating system security

How to audit windows 10 application logs

Greg Belding
April 28, 2020 by
Greg Belding

The Audit feature in Windows 10 is a useful carryover from prior Windows versions. It allows Windows 10 users and administrators to view security events in an audit log for the purpose of tracking, system and security events. 

This primer article will detail what the Windows application log is and where it is viewed. In addition, we will explore the importance of logging and auditing, how to enable auditing on your Windows 10 system, and how to view the security event log. 

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

What is the Windows application log?

Windows has given users and administrators ongoing access to logs to better understand system and security events. The application log is used to record events written by applications and services. These applications may be proprietary/commercial applications (including SQL Server) and applications developed by your organization. 

Events that can be logged include a whole host of application events, from application startup events to run-time error events. Support specialists may request access to your application log to help them assess an application issue.

Where can you find the application log?

Microsoft has carried over Event Viewer to Windows 10. To easily access Event Viewer, type “Event” into the Windows 10 Cortana search bar, then click on “Event Viewer” when it appears in your search results. After Event Viewer opens, select “Windows Logs” from the console tree on the left-hand side, then double-click on “Application” in the console tree. Your Windows 10 application log will appear.

The application log will record certain information about application events. This information includes:

  • Log name
  • Source
  • Event ID
  • Level
  • User
  • The time that the event was logged

What events does it typically record? Here is a list of typically recorded events:

  • Applications starting
  • Application exceptions
  • SQL logs
  • Major application events including restarts, stopping and other security events
  • Select debugging information

This information can then be used by auditors, information security professionals and support specialists to further investigate application events on your Windows 10 system.

The importance of logging and auditing

Logging and auditing work symbiotically as access control, ensuring only authorized activities occur. They play a pivotal role in identifying, preventing and stopping unwanted activities and provide an audit trail that can be used in investigations. 

Logging is perishable (logs can be deleted, modified and so on), but auditing is considered a more permanent method of recording and storing events.

How to audit Windows 10 application logs

These are the steps to audit your application log on a Windows 10 system.

Enable auditing

The first step to auditing is to enable the auditing feature in Windows 10. To enable this, enter “CMD” in the Cortana search bar. Right-click on the Command Prompt option when it pops up and select Run as Administrator (which will require administrator credentials). Once the CMD prompt pops up, run the following command: Auditpol /set /Category:System /failure:enable. Then restart your system so this change will take effect. 

Set audit policy

The next step is to set the audit policy to frame for what your auditing will capture. Pull up the Local Group Policy Editor and fire up your CMD prompt again. Once it is up, type gpedit.msc and click on OK. 

Navigate to Audit Policy, which can be found at Computer Configuration ➝ Windows Settings ➝ Security Settings ➝ Local Policies ➝ Audit Policy. At this point you will be presented with the audit configurations which you use to set audit parameters. Double-click on them on the right side of the Local Group Policy Editor. You can set these items to be audited upon success or failure.

How to view the security event log

With the Windows 10 auditing feature enabled and your audit policy set, you can start looking at recorded events. To find the security event log, open Event Viewer. With Event Viewer open, expand the console tree and click “Security.” 

Please note: Without your Auditing feature properly enabled and audit policy set, this log will be blank. 

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Conclusion

Application log audits are a valuable source of information for events concerning various Windows 10 applications, including the all-powerful SQL Server. While Windows 10 has a useful Audit feature, it needs to be properly enabled with the appropriate audit policy set before you can use this feature in audits, investigations and the like. 

If concerning application events are occurring or if you suspect they may be, auditing Windows 10 application logs should help diagnose the issue.

Sources 

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.