This guide highlights the approaches to check the “Security Event Logs” on Windows 10 by discussing the following aspects:
- What is Windows Security Event Logs?
- Elements of Windows Security Event Log.
- Check Security Event Logs in Windows 10.
What is Windows “Security Event Logs”?
Microsoft Windows logs all the activities in the system on either the software or hardware. These logs are crucial for system security as they contain all the applications, security, DNS server, file relocation, and security logs.
A security log includes the following information:
- Device Audit Policy
- Login Attempts
- Resource Access
The “Device Audit Policy” is a set of instructions determining which activities should be tracked and stored in a device’s security log. It can record login attempts and resource access in the security log. “Login Attempts” track any login activities, while “Resource Access” tracks any attempts to access or modify system resources. By checking the security log for these events, you can detect suspicious activities that may pose security risks and take necessary steps to prevent them.
Elements of Windows Security Event Log
The “Security Event Log” maintains the security-related information, including the suspicious activities that could harm the system. For example, repeated failed login attempts could indicate a hacking attempt; likewise, unauthorized access to sensitive files could suggest a potential data breach. Reviewing the “Security Event Log” is recommended to identify any suspicious events that can be achieved with the help of the following elements of the Windows Security Log:
- Date/Time of the Event.
- A Unique Event ID.
- The Source From Where the Event was Generated.
- Event’s Category
- User Related to the Event.
- The System’s Name.
- A Detailed Description.
How to Check “Security Event Log” on Windows 10?
To check the “Security Event Log” on Windows 10, follow these steps:
Step 1: Open “Event Viewer”
First, press the “Windows + X” shortcut keys and click on the “Event Viewer” from the menu:
Step 2: Select “Windows Logs”
From the “Event Viewer” window, click on “Windows Logs” and select “Security” to view the logs:
Step 3: View Security Event Log
Right-click on the event you want to view and click on “Properties”. From the new window, all the information like log path, log size, creating, modifying, and access times can be shown:
Below is an example in which the event is a read operation performed on the stored credentials. Also, more information can be viewed by clicking on the “Event Log Online Help” link, as follows:
The “Audit Success” message against the “Keywords” for the event “5379” indicates that the attempt was successful.
The most critical security logs events are as follows:
- Event ID 4624 – Successful logon event.
- Event ID 4625 – Failed login attempt event.
- Event ID 4634 – User logoff event.
- Event ID 4768 – Kerberos authentication ticket was requested.
- Event ID 4776 – Failed Kerberos authentication attempt.
- Event ID 4797 – Shows that an attempt was made to operate with additional privileges.
- Event ID 5140 – A object (network share) was accessed successfully.
- Event ID 5146 – A object (network share) was changed.
- Event ID 5156 – A firewall rule was modified.
- Event ID 5447 – A Windows Filtering Platform filter was changed.
- Event ID 5677 – A call was made to a privileged service.
- Event ID 4771 – Kerberos pre-authentication failed.
- Event ID 5379 – The user performs a read operation on stored credentials in Credential Manager.
This helps review the security; for example, users can view the failed login attempts that can help protect their system against illegal access.
Conclusion
To check the “Security Event Log” on Windows 10, users must press the “Windows + X” keys and navigate to “Event Viewer => Windows Logs => Security”. The security logs tab contains several terminologies that can help identify possible system breaches and other threats. This article discussed how to check the “Security Event Log” in Windows 10.
