Windows Security Event Log
Authentication, authorization, and security audit events including logons, privilege use, and policy changes
Quick Facts
Default Path (Linux)
N/ADefault Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings
Log Example
Default format: Windows Event Log Format
Example Log Entrylog
Event ID: 4624
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/20/2025 2:32:18 PM
Task Category: Logon
Level: Information
User: DOMAIN\admin
Computer: WORKSTATION01
Description: An account was successfully logged on.Structure:
XML-based binary format with structured fieldsPaths by Platform
Available Formats
Windows Event Log Format
Default
Example:
Event ID: 4624
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/20/2025 2:32:18 PM
Task Category: Logon
Level: Information
User: DOMAIN\admin
Computer: WORKSTATION01
Description: An account was successfully logged on.Structure:
XML-based binary format with structured fieldsJSON (via log forwarder)
Example:
{"event_id":4624,"log_name":"Security","source":"Microsoft-Windows-Security-Auditing","timestamp":"2025-12-20T14:32:18.000Z","user":"DOMAIN\\admin","computer":"WORKSTATION01","logon_type":10}Structure:
Structured JSON from Winlogbeat, NXLog, or similarFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
EventID | integer | Unique identifier for the event type | 4624 |
TimeCreated | datetime | When the event was generated | 2025-12-20T14:32:18.123Z |
Computer | string | Computer name where event occurred | WORKSTATION01 |
SubjectUserName | string | Account name that performed the action | admin |
SubjectDomainName | string | Domain of the subject account | DOMAIN |
TargetUserName | string | Account name that is the target of the action | user1 |
LogonType | integer | Type of logon (2=Interactive, 3=Network, 10=RemoteInteractive) | 10 |
IpAddress | ip | Source IP address for network logons | 192.168.1.100 |
IpPort | integer | Source port for network logons | 54321 |
WorkstationName | string | Source workstation name | CLIENT01 |
ProcessName | string | Process that initiated the event | C:\Windows\System32\lsass.exe |
Parsing Patterns
Collector Configurations
winlogbeatyaml
1winlogbeat.event_logs:2 - name: Security3 event_id: 4624, 4625, 4648, 4672, 4720, 47324 processors:5 - drop_event.when.not.or:6 - equals.winlog.event_id: 46247 - equals.winlog.event_id: 46258 - equals.winlog.event_id: 4648Configuration
Enable Logging
Enable via Group Policy or Local Security Policy
# Enable via auditpol
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Special Logon" /success:enableUse Cases
User login tracking
Monitor successful and failed logons
EventID
TargetUserName
IpAddress
Troubleshooting
Tested On
vWindows Server 2022 on Windows Server 2022
windows_expert - 2025-12-15
vWindows 11 23H2 on Windows 11
admin - 2025-12-10
Last updated: 2025-12-15 by windows_expert
3 contributors312 upvotes
Validated
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!