# Windows Event Logs In this guide, you will send Windows Event logs to Radiant Security with the use of an intermediary agent for additional security. {% hint style="info" %} **Note:** If you’d like to send Radiant a data feed that isn’t listed below, please contact your Customer Success Manager at {% endhint %} ### Prerequisites * [ ] Radiant Agent already set up in the same network zone as the servers. If you don't have the agent installed, please refer to the [Install the Radiant Security Agent](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/install-the-radiant-security-agent) guide. ### Supported data feeds The following types of data feeds are supported for event collection: * DHCP Events * DNS Events * Windows Application Events * Windows Forwarded Events * Windows Security Events * Windows Setup Events * Windows System Events ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**. 3. Search for and select the **Windows Agent** option and then click **Data Feeds.** 4. Select the **Data Feeds** you have, then click **Credentials**. 5. Under **Credential** **Name**, give the credential an identifiable name (e.g. `Windows Agent Credentials`). 6. In the **Connector** **tag** field, optionally enter any value. 7. Click **Add** **Connector**. {% hint style="warning" %} **Important note**: Windows servers provide application, security, system, and setup events, but they *do not* generate alerts. If you haven’t connected an alert source yet, it’s critical to onboard one. This allows Radiant to ingest and triage alerts in context with the event logs collected from your Windows servers. {% endhint %} ### Configure Windows Events forwarding We will provide you with an installation package to deploy on all Windows servers you want to monitor. For monitoring to work, each server must be configured to **generate the necessary security logs**. Follow the steps below to adjust the **Local Security Policy** and make sure all required events are being recorded. {% hint style="info" %} **Note:** If your organization manages security settings through **Group Policy Objects (GPO)**, apply these same changes within the GPO instead. This ensures consistency across all systems and prevents domain policies from overwriting local settings. {% endhint %} **Steps (to be done on each Windows server or workstation):** 1. Open the **Local Security Policy** with `Win + R` and type **secpol.msc** 2. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Audit Policy** and set the following: * On `Audit account logon events` enable `Success` and `Failure` * On `Audit account management` enable `Success` and `Failure` * On `Audit logon events` enable `Success` and `Failure` * On `Audit privilege use` enable `Success` and `Failure` * On `Audit process tracking` enable `Success` and `Failure` * On `Audit policy change` enable `Success` and `Failure` 3. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** and set the following: * Under `Detailed Tracking` , set `Audit Process Creation` to both `Success` and `Failure` * Under `Object Access`, set the following: * Set `Audit File System` to `Success` and `Failure` * Set `Audit Registry` to `Success`and `Failure` 4. Now, to enable the Windows PowerShell logging, navigate to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Windows PowerShell` * Under `Module Logging`: * Set to `Enabled` * In `Module Names` enter `*` as the value to audit all modules * Set `PowerShell Script Block Logging` to `Enabled` 5. Navigate to `Computer Configuration` > `Preferences` > `Windows Settings` > `Registry`
{% hint style="info" %} **Note:** This setting will limit the size of the Powershell script log capture to a maximum of 150mb. {% endhint %} 6. Add new registry key (`New` > `Registry Item`). 7. Enter the following details: * `Hive` == `HKEY_LOCAL_MACHINE` * `Key Path` == `SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\ Channels\\Microsoft-Windows-PowerShell\\Operational` * `Value Name` == `MaxSize` * `Value Type` == `REG_DWORD` * `Value Data` == `153616384` * Set as `Decimal` 8. Click `Apply`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/windows-event-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.