I spent a good part of a day a few weeks ago searching around looking for a simple spreadsheet or table that lists the Advanced Audit GPO’s and what Event ID’s they correspond to. I couldn’t find one. Went through 4 pages of Google results, went through multiple TechNet articles. Could not find something that simply stated “These event ID’s are covered by this GPO”. The closest I could find was this link – Event IDs for Windows Server 2008 and Vista Revealed! – but it didn’t list them in the way I wanted, nor did it include everything that I could see listed in my GPO’s.
This is important information to me – I’m currently trying to tweak our security settings so that what we’re logging is *actually* useful rather than thousands upon thousands of lines with logons and logoffs. A list like this would allow me to filter our event logs, to then be able to see which GPO’s I could easily turn on or off in order to get the filtered results I’m looking for – and prevent my event logs from filling up with useless crap!
So, because I couldn’t find it, I decided to make it myself…and because I figured I wouldn’t be the only one looking for it, I thought I might share it with the world!
| Group Policy Group | Group Policy Option | Event IDs |
|---|---|---|
| Account Logon | Audit Credential Validation | 4774, 4775, 4776, 4777 |
| Audit Kerberos Authentication Service | 4768, 4771, 4772 | |
| Audit Kerberos Service Ticket Operations | 4769, 4770 | |
| Audit Other Account Logon Events | 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633 | |
| Account Management | Audit Application Group Management | 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790 |
| Audit Computer Account Management | 4741, 4742, 4743 | |
| Audit Distribution Group Management | 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762 | |
| Audit Other Account Management Events | 4782, 4793 | |
| Audit Security Group Management | 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764 | |
| Audit User Account Management | 4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377 | |
| Detailed Tracking | Audit DPAPI Activity | 4692, 4693, 4694, 4695 |
| Audit Process Creation | 4688, 4696 | |
| Audit Process Termination | 4689 | |
| Audit RPC Events | 5712 | |
| DS Access | Audit Detailed Directory Service Replication | 4928, 4929, 4930, 4931, 4934, 4935, 4936, 4937 |
| Audit Directory Service Access | 4662 | |
| Audit Directory Service Changes | 5136, 5137, 5138, 5139, 5141 | |
| Audit Directory Service Replication | 4932, 4933 | |
| Logon/Logoff | Audit Account Lockout | 4625 |
| Audit IPsec Extended Mode | 4978, 4979, 4980, 4981, 4982, 4983, 4984 | |
| Audit IPsec Main Mode | 4646, 4650, 4651, 4652, 4653, 4655, 4976, 5049, 5453 | |
| Audit IPsec Quick Mode | 4977, 5451, 5452 | |
| Audit Logoff | 4634, 4647 | |
| Audit Logon | 4624, 4625, 4648, 4675 | |
| Audit Network Policy Server | 6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280 | |
| Audit Other Logon/Logoff Events | 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633 | |
| Audit Special Logon | 4964 | |
| Object Access | Audit Application Generated | 4665, 4666 ,4667, 4668 |
| Audit Certification Services | 4868, 4869, 4870, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4882, 4883, 4884, 4885, 4886 ,4887, 4888, 4889, 4890, 4891, 4892, 4893, 4894, 4895, 4896, 4897, 4898 | |
| Audit Detailed File Share | 5145 | |
| Audit File Share | 5140, 5142, 5143, 5144, 5168 | |
| Audit File System | 4664, 4985, 5051 | |
| Audit Filtering Platform Connection | 5031, 5140, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159 | |
| Audit Filtering Platform Packet Drop | 5152, 5153 | |
| Audit Handle Manipulation | 4656, 4658, 4690 | |
| Audit Kernel Object | 4659, 4660, 4661, 4663 | |
| Audit Other Object Access Events | 4671, 4691, 4698, 4699, 4700, 4701, 4702 ,5148, 5149, 5888, 5889, 5890 | |
| Audit Registry | 4657, 5039 | |
| Audit SAM | 4659, 4660, 4661, 4663 | |
| Policy Change | Audit Audit Policy Change | 4715, 4719, 4817, 4902, 4904, 4905, 4906, 4907, 4908, 4912 |
| Audit Authentication Policy Change | 4713, 4716, 4717, 4718, 4739, 4864, 4865, 4866, 4867 | |
| Audit Authorization Policy Change | 4704, 4705, 4706, 4707, 4714 | |
| Audit Filtering Platform Policy Change | 4709, 4710, 4711, 4712, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048, 5440, 5441, 5442, 5443, 5444, 5446, 5448, 5449, 5450, 5456, 5457, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477 | |
| Audit MPSSVC Rule-Level Policy Change | 4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958 | |
| Audit Other Policy Change Events | 4670, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144, 6145 | |
| Privilege Use | Audit Non-Sensitive Privilege Use | 4672, 4673, 4674 |
| Audit Sensitive Privilege Use | 4672, 4673, 4674 | |
| Audit Other Privilege Use Events | N/A | |
| System | Audit IPsec Driver | 4960, 4961, 4962, 4963, 4965, 5478, 5479, 5480, 5483, 5484, 5485 |
| Audit Other System Events | 5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403 ,6404, 6405, 6406, 6407, 6408 | |
| Audit Security State Change | 4608, 4609 ,4616, 4621 | |
| Audit Security System Extension | 4610, 4611, 4614, 4622, 4697 | |
| Audit System Integrity | 4612, 4615, 4618, 4816, 5038, 5056, 5057, 5060, 5061, 5062, 6281 | |
| Glbal Object Access Auditing | Registry (GOAA) | N/A |
| File System (GOAA) | N/A |
I figure if only one person finds it useful, then the 2 or so hours I spent doing this and double-checking it against the GPO’s are well worth it!
Well worth it! Thank you for the contribution!
Just out of curiosity what GPO settings did you finally settle on to log only what you were interested in? I know it will vary by organization and policy but I like to see what others are doing to compare.
Nice list by the way!
Thanks for this.
You should mention the Windows versions this applies to, because I know Event IDs have changed over time, and probably will again.
And ditto Andy.
This is beautiful! Thank you!!!
You’re welcome – glad it’s useful to someone!
Jess – this was extremely helpful for us. thank you very much for documenting all this.
Thanks, the list was really helpful.
Thanks for taking the time to document this list, it’s extremely useful!
You’re the BEST!
This was so helpful, thanks for sharing!
So Epic! This has saved me so much time getting rid of all these damned “Audit Success” Entries…. (Which I’ve had to disable manually via CMD one at a time, and to get rid of “File System”, I actually had to kill “SAM”, and “Kernal Object”)
Im not sure why exactly, but after temporarily enabling Security Auditing on an AD GPO – My Domain Controllers will not stop logging everything under the sun. (Even after preventing the Policy from impacting the Domain Controllers OU; running a gpupdate; restarting the Servers, etc…..) Even RSOP says that Audit Policy logging is Not Defined for my DCs….. This must be an issue where once you turn it on, it stays on regardless of the policy state change? Microsoft….. WTF????
Awesome, thank you!
Awesome, this is a massive time saver!
Great work, exactly what I was looking for. I’ve added this to my internal KB.
Thank you!
Nice work! Thanks!
Looks like you were looking for the following documents in your research?
https://www.microsoft.com/en-us/download/details.aspx?id=52630
https://www.microsoft.com/en-us/download/details.aspx?id=50034
and maybe:
https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events
https://github.com/palantir/windows-event-forwarding/
Thanks for sharing!
WHile it’s lovely of you to have left a comment – you’ll notice the date tags on all of those articles are *AFTER* I wrote this one. I wrote this back in 2014. The Microsoft ones were written two years later, in 2016. One of the github ones was written in DECEMBER 2017, and the other in April this year…4 years after I wrote this.
While they are definitely helpful pages, they would’ve been more helpful if they’d been written a few years earlier…
Ooh, so sorry! I did not spot that as this was pointed out to me on Twitter in a way that I thought this is a new post.
So this is still being shared and I thought I’d add what I found for the next person who shows up here. Feel free to remove my comment and just add the URLs to your post. Microsoft makes this stuff way too hard to find.
great work – exactly what i was looking for !
Did you miss 4663 on the Audit File System
I had! I feel that something must’ve changed since I first published this list, as there are a ton of other event ID’s from “Audit File System” that I also don’t have included. I’ll have to look at doing an updated post!
Hi. Thank you very much for posting this. Very helpful and your two hours made mine 5 min. So thank you again.
7045, 7036 – Please let me know for the two events IDs as well pls
Definitely a great post. We set our audit file based on STIG. What I am looking for is ways to generate various event id’s. because even though I have my audit setting set how can I verify I am getting the various event ids
It’s the end of 2020, and this is still the most useful version of this information that I’ve found.
2021 and still finding this useful =] Thank you kindly!!
Pingback: Resolved: What is the most efficient way to take a list of Windows Event IDs and determine which audit policy enables logging of the event? - Resolved Problem
Excellent info.
I have used this page probably at least once a month for a year or so now.
Thank you!!
Thank you! You just saved me a bunch of time. Bookmarking for future reference.
Still useful 9 years later thank you!