Windows Audit Logging: Alternatives to auditd

TL;DR

auditd is a powerful Linux auditing tool. Windows doesn’t have an exact equivalent, but several options provide similar functionality for tracking security events and system changes. This guide covers Event Tracing for Windows (ETW), Sysmon, and Windows Defender Audit Logging.

1. Understanding the Options

Before diving in, let’s quickly compare these tools:

• Event Tracing for Windows (ETW): A low-level tracing system built into Windows. Very flexible but requires configuration and parsing.
• Sysmon: Developed by Microsoft, Sysmon focuses on process creation, network connections, file modifications, and registry changes. Easier to set up than ETW.
• Windows Defender Audit Logging: Part of the standard Windows security features; provides basic auditing information.

2. Using Event Tracing for Windows (ETW)

ETW is powerful but complex. You’ll need to define providers and sessions to capture specific events.

1. Identify Providers: ETW uses ‘providers’ which are sources of event data (e.g., Kernel, FileSystem). Use the wevtutil epflist command in an elevated PowerShell prompt to list available providers.

   wevtutil epflist

2. Create a Session: Create a session to collect events from specific providers. You can use the xperf tool (part of Windows Performance Toolkit) or PowerShell cmdlets.

   xperf -start MySession -on Kernel:0x10 -on FileSystem:0x10 -stackwalk FileSystem:0x10 -file MyTrace.etl

3. Stop the Session: Stop the session when you’ve collected enough data.

   xperf -stop MySession -file MyTrace.etl

4. Analyze the Trace: Use tools like Windows Performance Analyzer (WPA) to open and analyze the .etl file. WPA allows filtering, searching, and graphing of event data.

ETW requires significant expertise in Windows internals.

3. Setting up Sysmon

Sysmon is generally easier to use than ETW.

1. Download and Install: Download the latest version of Sysmon from Microsoft’s website (https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) and install it.
2. Configure Sysmon: The core of Sysmon is its configuration file (SysmonConfig.xml). This file defines which events to log, what to exclude, and where to store the logs.

   Example Configuration Snippet:

   <Sysmon schemaversion="4.82">
     <EventFiltering>
       <RuleGroup name="Network connection success events" groupRelation="or">
         <DestinationIsIPFilter enabled="true">
           <IPAddress condition="isnot" value="127.0.0.1"/>
         </DestinationIsIPFilter>
       </RuleGroup>
     </EventFiltering>
   </Sysmon>

3. Start Sysmon: Start Sysmon with your configuration file.

   Sysmon.exe -i SysmonConfig.xml

4. Analyze Logs: Sysmon logs are typically written to the Windows Event Log (Application and Security). Use Event Viewer or a SIEM solution to analyze these logs.

Sysmon provides detailed event information without requiring deep system knowledge.

4. Enabling Windows Defender Audit Logging

Windows Defender includes basic audit logging capabilities.

1. Group Policy: Use Group Policy to configure the types of events to log (e.g., file access, registry changes). Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
2. Event Viewer: Review audit logs in Event Viewer under Windows Logs > Security. Filter for events related to Windows Defender.

Windows Defender Audit Logging provides a basic level of auditing and is suitable for simple monitoring requirements.

5. Choosing the Right Tool

• For detailed, custom tracing: ETW (requires expertise).
• For comprehensive process/file/network monitoring with reasonable setup: Sysmon.
• For basic security event logging: Windows Defender Audit Logging.