Event logs are detailed records containing information relating to what occurred on the device. A log entry is created for every event and application notification on a device within the network and are often categorised with a severity level ranging from information through to critical. Windows event logs can be utilised by the network administrators to diagnose system problems and determine if any malicious activity has been conducted on the network.
It is strongly advised to ensure that only a select number of authorised personnel are able to access these logs. Additionally, the employees with access to these logs should be unable to tamper or delete them. This is because if a malicious actor compromises the account responsible for setting up and reviewing the logs, numerous malicious activities could be conducted within the network and then remove/tamper the logs. This would remove all traces of what has occurred, making it very hard to determine the damage that has been caused.
Reviewing event logs on a regular basis is important to determine abnormalities in different systems and help with identifying several security incidents and threats. This could be reviewed by an individual on a monthly basis or software could be utilised to conduct an automated review.
An additional requirement that is often overlooked is to ensure that the relevant personnel within your organisation are alerted to various activities within the network, allowing for appropriate action to be taken, quickly. Examples of events that should be alerted are VPN Access, numerous incorrect password entries and USB devices being plugged into the network.