This repository contains Windows Event Forwarding subscriptions, configuration files and scripts that are referenced by ACSC's protect publication, Technical Guidance for Windows Event Logging.
The repository is structured by having a matching folder per event category from the publication. This contains the subscriptions and as required other configuration files or scripts.
Subscriptions are added to the log collection server and determine which events are forwarded. They are named with a consistent suffix, _sub.xml, to make it easier to programmatically add subscriptions.
Subscriptions in this repository are created with the following configuration:
There are two small PowerShell scripts that simplify the process of adding subscriptions:
Sysmon provides greater visibility of system activity than standard Windows logging. The configuration file, subscriptions and an example MSI are included in events/sysmon.
The Sysmon configuration, events/sysmon/sysmon_config.xml should suit many different environments but may need to be tweaked in some cases. The file contains comments and links that may help in doing this.
There are instructions contained within events/sysmon/msi/README.txt on how to build a Sysmon MSI, which may simplify the deployment of Sysmon. The resulting MSI should be tested before a domain-wide rollout.
Windows Management Instrumentation (WMI) requires additional configuration, which is enabled by running the PowerShell script events/wmi_auditing/wmi_auditing.ps1. This script sets auditing records (SACLs) on sensitive WMI nodes, and when these nodes are accessed and the Audit Other Object Access option is enabled, WMI auditing logs are produced.
© Commonwealth of Australia 2017