Advanced Audit Policy – which GPO corresponds with which Event ID

I spent a good part of a day a few weeks ago searching around looking for a simple spreadsheet or table that lists the Advanced Audit GPO’s and what Event ID’s they correspond to. I couldn’t find one. Went through 4 pages of Google results, went through multiple TechNet articles. Could not find something that simply stated “These event ID’s are covered by this GPO”. The closest I could find was this link – Event IDs for Windows Server 2008 and Vista Revealed! – but it didn’t list them in the way I wanted, nor did it include everything that I could see listed in my GPO’s.

This is important information to me – I’m currently trying to tweak our security settings so that what we’re logging is *actually* useful rather than thousands upon thousands of lines with logons and logoffs. A list like this would allow me to filter our event logs, to then be able to see which GPO’s I could easily turn on or off in order to get the filtered results I’m looking for – and prevent my event logs from filling up with useless crap!

So, because I couldn’t find it, I decided to make it myself…and because I figured I wouldn’t be the only one looking for it, I thought I might share it with the world!

Group Policy Group Group Policy Option Event IDs
Account Logon Audit Credential Validation 4774, 4775, 4776, 4777
  Audit Kerberos Authentication Service 4768, 4771, 4772
  Audit Kerberos Service Ticket Operations 4769, 4770
  Audit Other Account Logon Events 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633
Account Management Audit Application Group Management 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790
  Audit Computer Account Management 4741, 4742, 4743
  Audit Distribution Group Management 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762
  Audit Other Account Management Events 4782, 4793
  Audit Security Group Management 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764
  Audit User Account Management 4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377
Detailed Tracking Audit DPAPI Activity 4692, 4693, 4694, 4695
  Audit Process Creation 4688, 4696
  Audit Process Termination 4689
  Audit RPC Events 5712
DS Access Audit Detailed Directory Service Replication 4928, 4929, 4930, 4931, 4934, 4935, 4936, 4937
  Audit Directory Service Access 4662
  Audit Directory Service Changes 5136, 5137, 5138, 5139, 5141
  Audit Directory Service Replication 4932, 4933
Logon/Logoff Audit Account Lockout 4625
  Audit IPsec Extended Mode 4978, 4979, 4980, 4981, 4982, 4983, 4984
  Audit IPsec Main Mode 4646, 4650, 4651, 4652, 4653, 4655, 4976, 5049, 5453
  Audit IPsec Quick Mode 4977, 5451, 5452
  Audit Logoff 4634, 4647
  Audit Logon 4624, 4625, 4648, 4675
  Audit Network Policy Server 6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280
  Audit Other Logon/Logoff Events 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633
  Audit Special Logon 4964
Object Access Audit Application Generated 4665, 4666 ,4667, 4668
  Audit Certification Services 4868, 4869, 4870, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4882, 4883, 4884, 4885, 4886 ,4887, 4888, 4889, 4890, 4891, 4892, 4893, 4894, 4895, 4896, 4897, 4898
  Audit Detailed File Share 5145
  Audit File Share 5140, 5142, 5143, 5144, 5168
  Audit File System 4664, 4985, 5051
  Audit Filtering Platform Connection 5031, 5140, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159
  Audit Filtering Platform Packet Drop 5152, 5153
  Audit Handle Manipulation 4656, 4658, 4690
  Audit Kernel Object 4659, 4660, 4661, 4663
  Audit Other Object Access Events 4671, 4691, 4698, 4699, 4700, 4701, 4702 ,5148, 5149, 5888, 5889, 5890
  Audit Registry 4657, 5039
  Audit SAM 4659, 4660, 4661, 4663
Policy Change Audit Audit Policy Change 4715, 4719, 4817, 4902, 4904, 4905, 4906, 4907, 4908, 4912
  Audit Authentication Policy Change 4713, 4716, 4717, 4718, 4739, 4864, 4865, 4866, 4867
  Audit Authorization Policy Change 4704, 4705, 4706, 4707, 4714
  Audit Filtering Platform Policy Change 4709, 4710, 4711, 4712, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048, 5440, 5441, 5442, 5443, 5444, 5446, 5448, 5449, 5450, 5456, 5457, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477
  Audit MPSSVC Rule-Level Policy Change 4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958
  Audit Other Policy Change Events 4670, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144, 6145
Privilege Use Audit Non-Sensitive Privilege Use 4672, 4673, 4674
  Audit Sensitive Privilege Use 4672, 4673, 4674
  Audit Other Privilege Use Events N/A
System Audit IPsec Driver 4960, 4961, 4962, 4963, 4965, 5478, 5479, 5480, 5483, 5484, 5485
  Audit Other System Events 5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403 ,6404, 6405, 6406, 6407, 6408
  Audit Security State Change 4608, 4609 ,4616, 4621
  Audit Security System Extension 4610, 4611, 4614, 4622, 4697
  Audit System Integrity 4612, 4615, 4618, 4816, 5038, 5056, 5057, 5060, 5061, 5062, 6281
Glbal Object Access Auditing Registry (GOAA) N/A
  File System (GOAA) N/A

I figure if only one person finds it useful, then the 2 or so hours I spent doing this and double-checking it against the GPO’s are well worth it!

31 thoughts on “Advanced Audit Policy – which GPO corresponds with which Event ID

  1. Andy

    Just out of curiosity what GPO settings did you finally settle on to log only what you were interested in? I know it will vary by organization and policy but I like to see what others are doing to compare.

    Nice list by the way!

    Reply
  2. Dan

    Thanks for this.

    You should mention the Windows versions this applies to, because I know Event IDs have changed over time, and probably will again.

    And ditto Andy.

    Reply
  3. Matt M.

    Jess – this was extremely helpful for us. thank you very much for documenting all this.

    Reply
  4. Dennis

    So Epic! This has saved me so much time getting rid of all these damned “Audit Success” Entries…. (Which I’ve had to disable manually via CMD one at a time, and to get rid of “File System”, I actually had to kill “SAM”, and “Kernal Object”)

    Im not sure why exactly, but after temporarily enabling Security Auditing on an AD GPO – My Domain Controllers will not stop logging everything under the sun. (Even after preventing the Policy from impacting the Domain Controllers OU; running a gpupdate; restarting the Servers, etc…..) Even RSOP says that Audit Policy logging is Not Defined for my DCs….. This must be an issue where once you turn it on, it stays on regardless of the policy state change? Microsoft….. WTF????

    Reply
    1. girlgerms Post author

      WHile it’s lovely of you to have left a comment – you’ll notice the date tags on all of those articles are *AFTER* I wrote this one. I wrote this back in 2014. The Microsoft ones were written two years later, in 2016. One of the github ones was written in DECEMBER 2017, and the other in April this year…4 years after I wrote this.

      While they are definitely helpful pages, they would’ve been more helpful if they’d been written a few years earlier…

      Reply
      1. Hendrik

        Ooh, so sorry! I did not spot that as this was pointed out to me on Twitter in a way that I thought this is a new post.
        So this is still being shared and I thought I’d add what I found for the next person who shows up here. Feel free to remove my comment and just add the URLs to your post. Microsoft makes this stuff way too hard to find.

    1. girlgerms Post author

      I had! I feel that something must’ve changed since I first published this list, as there are a ton of other event ID’s from “Audit File System” that I also don’t have included. I’ll have to look at doing an updated post!

      Reply
  5. Schontelle

    Hi. Thank you very much for posting this. Very helpful and your two hours made mine 5 min. So thank you again.

    Reply
  6. Susan

    Definitely a great post. We set our audit file based on STIG. What I am looking for is ways to generate various event id’s. because even though I have my audit setting set how can I verify I am getting the various event ids

    Reply
  7. Jerod

    It’s the end of 2020, and this is still the most useful version of this information that I’ve found.

    Reply
  8. Pingback: Resolved: What is the most efficient way to take a list of Windows Event IDs and determine which audit policy enables logging of the event? - Resolved Problem

  9. JTech

    Excellent info.
    I have used this page probably at least once a month for a year or so now.
    Thank you!!

    Reply

Leave a Reply