Information Assurance Directorate

It is increasingly difficult to detect malicious activity, which makes it extremely important to monitor and collect log data from as many useful sources as possible. This paper provides an introduction to collecting important Windows workstation event logs and storing them in a central location for easier searching and monitoring of network health. The focus of this guidance document is to assist United States Government and Department of Defense administrators in configuring central event log collection and recommend a basic set of events to collect on an enterprise network using Group Policy.