Big thanks go out to the folks at SANS Institute for this write-up on Detecting Security Incidents Using Windows Workstation Event Logs that gave the guidance for this article on Windows Event Logs Intrusion Detection. These are the basics of creating Custom Views in Event Viewer on Microsoft Windows 2012, but the actual monitoring for these events should be done by more complex log parsing software that is beyond the scope of this article. Here are the basic steps towards finding these events:
Create Windows Event Logs Intrusion Detection Custom View
- Open Event Viewer
- Right click on Custom Views then choose “Create Custom View…”
- Make sure to select all event levels and all Windows Logs
- Add the following event id numbers into the space provided:
1001,4624,4625,4657,4688,4697,4698,7034,7035,7036,7040,64004
- Click OK. Give the Custom View a name then Click OK again.
- Right click on the newly created Custom View and select “Attach Task To This Custom View…”
- Work through the wizard based interface and select the desired task. Email is a nice one but is depreciated and will require the setup of an SMTP Relay unless there is an onsite Exchange server or dedicated email setup for this purpose with your email provider.
These are just the basics the article from SANS goes into greater depth on how to configure event log monitoring software to parse these for you. Better yet contact us to setup remote monitoring and maintenance to do the heavy lifting for you.
Hello, I have a problem with all events 4624, 4634, 4648, 4672 … all events that are related to connections and disconnections are not registered at all in my event manager, since about 1 year, before everything go well but we! Does somebody have an idea ?