System Auditing - Beginner
Author(s): LOWERCASEinuppercase
Last Updated: 06-10-2025
Recommended Prerequisites (click to expand)
- None
What Is Auditing?
System auditing is the process of tracking and logging certain events on a system. This can include things like login and logoff, attempting to access a certain file or folder, or modifying system settings. These logs can help system administrators identify suspicious activity or system issues. In Windows, system auditing is configured through the Audit Policy settings, which logs selected events to the Event Log.
When deciding audit policies, it's important to consider what might be beneficial to record, and adjust settings accordingly. For example, one use-case for auditing would be monitoring to see if anyone is attempting to access a user's account or brute-force their password. In that case, it may be useful to audit something like logon failures. In general it is considered best practice to audit as much as possible, though it's important to note that some policies will generate a lot of unnecessary diagnostic events that will quickly clog up the event log.
Configuring Audit Policy
Audit policy on a system is typically configured through either basic audit policy or advanced audit policy. Both of these can be configured through the Local Security Policy, also known as secpol.msc. To open Local Security Policy, go to the Windows search bar and type in either "local security policy" or "secpol.msc" and press enter. Let's take a look at how to configure audit policy in both ways.
Basic Audit Policy
Basic audit policy can be configured by navigating to Local Policies > Audit Policy. Listed here are 9 broad categories of events that the system can audit. By double-clicking any one of them, you can configure whether the system will audit success and/or failure events in each category.
Advanced Audit Policy
Advanced audit policy can be configured by navigating to the subcategories under Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object. These subcategories are similar to the ones available with a basic audit policy, but they allow for more granularity with the available settings.
For example, under the Logon/Logoff category, there are multiple specific settings which can be individually configured. Setting Audit account logon events to a given option in the basic audit policy would be equivalent to applying that option to every subcategory under the Logon/Logoff category in the advanced audit policy. Using an advanced audit policy gives you the choice to have different settings between those subcategories.
Command Prompt
The audit policy can also be configured through the command prompt using the auditpol.exe command line utility (also just referred to as auditpol). First, open the command prompt by typing "cmd" into the Windows search bar. Now, in order to get all of the current system audit policies, enter auditpol /get /category:* at the prompt. This should display a list of auditing categories and subcategories (which should mirror those in the advanced audit policy) and their current settings. To enable auditing for one of these subcategories, you can run auditpol /set /subcategory:"Subcategory Name Here" /success:enable /failure:enable. To disable auditing for a subcategory, you can run the same command but replacing the enable with disable for the /success and /failure options.