PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Security Hardening: Check Required Event Logs are Enabled

6fe1d89b-8e3e-49c2-9cc8-76cd1beb63ef

This script verifies that key Windows operational event logs are enabled on the local system. These logs provide visibility into core system activities such as PowerShell execution, DNS resolution, Group Policy changes, and remote desktop sessions. Ensuring these logs are enabled is essential for incident detection, threat hunting, and meeting compliance requirements such as STIG, NIST 800-53, PCI DSS, and CMMC.

The script checks the status of the following event logs:
Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Bits-Client/Operational
Microsoft-Windows-GroupPolicy/Operational
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

If any of these logs are not enabled or cannot be found, the script will report a failure and exit with error code 1.

Remediation

To enable missing logs:
Open an elevated PowerShell window.

Run the following command for each missing log:

wevtutil sl "" /e:true

Example: wevtutil sl "Microsoft-Windows-PowerShell/Operational" /e:true

You can automate the remediation with PowerShell:

$logs = @(
"Microsoft-Windows-PowerShell/Operational",
"Microsoft-Windows-DNS-Client/Operational",
"Microsoft-Windows-Windows Defender/Operational",
"Microsoft-Windows-Bits-Client/Operational",
"Microsoft-Windows-GroupPolicy/Operational",
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
)
foreach ($log in $logs) { wevtutil sl $log /e:true }

Links:
Powershell: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.5
DNS: https://blog.cleanbrowsing.org/dns-logging-for-security-and-performance-setup-analysis-and-compliance/
Windows Defender: https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Bits: https://attack.mitre.org/techniques/T1197/
Group Policy: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/security-auditing-overview
Terminal Services: https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/log-files-to-troubleshoot-rds-issues

MITRE Att&ck: T1197



Tags

sec-hardening-desktop sec-hardening-server threat-intel-desktop threat-intel-server mitre-att-desktop mitre-att-server sigma-desktop sigma-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.