# Windows Event Logs Windows Event Logs are the structured records generated by Windows servers and workstations covering authentication, process activity, system changes, and audit policy events. Connecting Windows Event Logs forwards these events to Radiant Security through a Radiant Agent. {% hint style="info" %} To send Radiant a Windows data feed not listed in this article, contact your Customer Success Manager at . {% endhint %} {% hint style="warning" %} Windows servers generate events but not alerts. If you have not connected an alert source yet, onboard one so Radiant can triage alerts in context with the event logs collected from your Windows servers. {% endhint %} ### Prerequisites * [ ] Local Administrator access on each Windows server or workstation, or equivalent Group Policy edit rights * [ ] A deployed [Radiant Agent](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/install-the-radiant-security-agent) in the same network zone as the Windows servers ### Add the data connector in Radiant Security 1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**. 3. Search for and select **Radiant Agent**, then click **Data Feeds**. 4. Under **Select your data feeds**, select the Windows event data feeds to forward to Radiant, then click **Credentials**. 5. Under **Credential Name**, enter an identifiable name for the Radiant Agent integration (e.g., `Radiant Agent Integration`). To reuse an existing Radiant Agent credential, select it from the drop-down menu. 6. In the **Connector tag** field, optionally enter any value. 7. Click **Add Connector**. ### Configure Windows event forwarding Each Windows server or workstation must be configured to generate the necessary audit events before the Radiant Agent can forward them. Apply the policy changes below on each system. If your organization manages security settings through Group Policy Objects (GPO), apply the same changes within the GPO to keep settings consistent across all systems and prevent domain policies from overwriting local settings. 1. Open the Local Security Policy: press `Win + R`, then enter `secpol.msc`. 2. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Audit Policy**, then enable both **Success** and **Failure** for the following policies: * **Audit account logon events** * **Audit account management** * **Audit logon events** * **Audit privilege use** * **Audit process tracking** * **Audit policy change** 3. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies**, then configure the following: * Under **Detailed Tracking**, set **Audit Process Creation** to **Success** and **Failure**. * Under **Object Access**, set **Audit File System** to **Success** and **Failure**. * Under **Object Access**, set **Audit Registry** to **Success** and **Failure**. 4. Enable Windows PowerShell logging. Navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows PowerShell**, then configure the following: * Under **Module Logging**, set to **Enabled** and enter `*` in the **Module Names** field to audit all modules. * Set **PowerShell Script Block Logging** to **Enabled**. 5. Cap the PowerShell script log size at 150 MB. Navigate to **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**, then add a new registry key (**New** > **Registry Item**) with the following values: * **Hive**: `HKEY_LOCAL_MACHINE` * **Key Path**: `SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\ Channels\\Microsoft-Windows-PowerShell\\Operational` * **Value Name**: `MaxSize` * **Value Type**: `REG_DWORD` * **Value Data**: `153616384` * **Base**: `Decimal` 6. Click **Apply**. ### Verify ingestion After Windows begins forwarding, confirm events are reaching Radiant. 1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs). 2. Filter by the `rs_connectorType` for each data feed you enabled:
Data feedFilter
Microsoft Windows Application Eventsrs_connectorType:"microsoft_windows_application"
Microsoft DHCP Eventsrs_connectorType:"microsoft_dhcp"
Microsoft DNS Eventsrs_connectorType:"microsoft_dns"
Microsoft Windows Forwarded Eventsrs_connectorType:"microsoft_windows_forwarded_events"
Microsoft Windows IIS Eventsrs_connectorType:"microsoft_windows_iis"
Microsoft Windows Security Eventsrs_connectorType:"microsoft_windows_security"
Microsoft Windows Setup Eventsrs_connectorType:"microsoft_windows_setup"
Microsoft Windows System Eventsrs_connectorType:"microsoft_windows_system"
3. Confirm recent events appear for each enabled feed. {% hint style="info" %} Allow several minutes for events to be parsed, indexed, and available for search. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/windows-event-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.