Skip to main content

Analyzing Windows Event Logs

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Training Architect

Length

00:30:00

Difficulty

Beginner

In this lab, we'll use filters to review Windows events and export events to text files for later analysis. NOTE: Once the lab is ready, please wait 2 additional minutes before attempting to remote desktop to the Windows machine. Prior to that, the provided credentials will not work. This is because the Windows machine runs several preparation scripts once it starts.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Analyzing Windows Event Logs

Introduction

In this lab, we'll use filters to review Windows events and export events to text files for later analysis.

Setting Up the Environment

  1. Use RDP (Remote Desktop) to connect to the public IP address of the instance on port 3389.
  2. Log in with the username and password provided on the lab instructions page.

Export All Logon Events to a Text File

  1. From the Start menu, open Event Viewer.
  2. In the left sidebar, click the arrow to the left of Windows Logs to expand it.
    • Click Security, and wait a few moments for the security events to populate.
    • Locate an event that has the Logon label under Task Category, and click the event to open it.
    • In the Event Properties menu, locate the Event ID and copy it to your clipboard.
    • Under the Actions header in the right sidebar, click Filter Current Log.
    • In the All Event IDs field, type or paste the event ID ("4624"), then click OK.
    • Under the Actions header in the right sidebar, click Save Filtered Log File As.
    • In the Save As menu, configure the following settings:
    • Save location: Desktop
    • File name: logons.txt
    • Save as type: Text (Tab delimited)(*.txt)
    • Click the Save button.

Export All Events from the Security Log to a Text File

  1. Under the Actions header in the right sidebar, click Clear Filter to remove the filter we added before.
    • Under Windows Logs in the left sidebar, right-click on Security and select Save All Events As.
    • In the Save As menu, configure the following settings:
    • Save location: Desktop
    • File name: security.txt
    • Save as type: Text (Tab delimited)(*.txt)
    • Click the Save button.

Conclusion

Congratulations, you've successfully completed this hands-on lab!