How to enable auditing in Windows

There are several different ways auditing can be enabled in Windows. Before you read on make sure you understand the difference between legacy and advanced ("audit policy subcategory settings") auditing, the latter which was introduced with Windows Vista. It is recommended to configure all systems to use the newer subcategory-based auditing.


Legacy vs Advanced

In Windows Vista, Microsoft introduced new event ids (along with an overhaul of the underlying event logging architecture) as well as more granular audit settings. This gives users significantly more control over what is being audited, potentially reducing the noise in the security event log significantly.

For example, instead of just having an "Object Access" category which covers just about any type of object auditing (file, registry, ...), there are now more than 10 different types of sub categories available. For example, with advanced auditing it's possible to just audit File System access while suppressing Windows Firewall audit events that can quickly fill up the security event log.


Enabling Auditing

1. AUDITPOL.EXE

auditpol.exe is a command-line utility included with Windows that lets you view as well as change the current audit settings. It's the best troubleshooting tool to determine which audit settings are currently active, Changing the audit policy with auditpol is only recommended for stand-alone hosts, utilizing group policy is the best way to manage auditing in a domain.

To view all current audit settings on a system run:
C:\> auditpol.exe /get /category:*
To set audit settings on a system run:
C:\> auditpol /set /subcategory:"[Name Of Subcategory]" /success:enable /failure:enable

2. Local Security Policy

The "secpol.msc" MMC Snap-In (aka "Security Settings") allows you to view and configure the local audit settings using MMC. To launch the utility, press Windows Key + R and type "secpol.msc". There, first navigate to Local Policies -> Security Options and make sure that Audit: Force audit policy subcategory settings to override audit policy category settings is enabled.

Then, navigate to Advanced Audit Policy Configuration -> System Audit Policies to customize the actual audit settings. Please note that audit settings shown in this MMC snap-in may not actually be effective if the local audit settings are being overwritten by domain-wide group policy settings (see (3) below). Auditpol.exe is the most accurate way to view the currently active audit settings on a system.


3. Group Policy

The best way to configure audit policy settings in a domain is to create a new group policy object with the appropriate audit settings and apply them either globally or to select OUs. To create a new audit policy GPO, follow these steps:

  • A) Open the "Group Policy Management Editor"
  • B) Right-click the domain and select "Create a GPO in this domain, and Link it here...
  • C) Give the new GPO a descriptive name, e.g. "Audit Policy" or "Auditing Domain Controllers"
  • D) Right-click the newly created GPO and select "Edit"
Audit Policy


Advanced auditing is enabled under:
   Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies ->
     Security Options ->
        Audit: Force audit policy subcategory settings to override audit policy category settings

Security Options



The actual audit settings are configured under:
   Computer Configuration -> Policies -> Windows Settings -> Security Settings ->
    Advanced Audit Policy Configuration -> Audit Policies

Advanced Audit Policy