Windows Event Logs

Configure Windows on-premises servers to forward security events to Radiant.

In this guide, you will send Windows Event logs to Radiant Security with the use of an intermediary agent for additional security.

Note: If you’d like to send Radiant a data feed that isn’t listed below, please contact your Customer Success Manager at [email protected]

Prerequisites

Supported data feeds

The following types of data feeds are supported for event collection:

  • DHCP Events

  • DNS Events

  • Windows Application Events

  • Windows Forwarded Events

  • Windows Security Events

  • Windows Setup Events

  • Windows System Events

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Windows Agent option and then click Data Feeds.

  4. Select the Data Feeds you have, then click Credentials.

  5. Under Credential Name, give the credential an identifiable name (e.g. Windows Agent Credentials).

  6. In the Connector tag field, optionally enter any value.

  7. Click Add Connector.

Important note: Windows servers provide application, security, system, and setup events, but they do not generate alerts. If you haven’t connected an alert source yet, it’s critical to onboard one. This allows Radiant to ingest and triage alerts in context with the event logs collected from your Windows servers.

Configure Windows Events forwarding

We will provide you with an installation package to deploy on all Windows servers you want to monitor.

For monitoring to work, each server must be configured to generate the necessary security logs. Follow the steps below to adjust the Local Security Policy and make sure all required events are being recorded.

Note: If your organization manages security settings through Group Policy Objects (GPO), apply these same changes within the GPO instead. This ensures consistency across all systems and prevents domain policies from overwriting local settings.

Steps (to be done on each Windows server or workstation):

  1. Open the Local Security Policy with Win + R and type secpol.msc

  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy and set the following:

    • On Audit account logon events enable Success and Failure

    • On Audit account management enable Success and Failure

    • On Audit logon events enable Success and Failure

    • On Audit privilege use enable Success and Failure

    • On Audit process tracking enable Success and Failure

    • On Audit policy change enable Success and Failure

  3. Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies and set the following:

    • Under Detailed Tracking , set Audit Process Creation to both Success and Failure

    • Under Object Access, set the following:

      • Set Audit File System to Success and Failure

      • Set Audit Registry to Successand Failure

  4. Now, to enable the Windows PowerShell logging, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell

    • Under Module Logging:

      • Set to Enabled

      • In Module Names enter * as the value to audit all modules

    • Set PowerShell Script Block Logging to Enabled

  5. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Note: This setting will limit the size of the Powershell script log capture to a maximum of 150mb.

  1. Add new registry key (New > Registry Item).

  2. Enter the following details:

    • Hive == HKEY_LOCAL_MACHINE

    • Key Path == SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\ Channels\\Microsoft-Windows-PowerShell\\Operational

    • Value Name == MaxSize

    • Value Type == REG_DWORD

    • Value Data == 153616384

    • Set as Decimal

  3. Click Apply.

PreviousVectra Stream (syslog)NextZScaler Cloud NSS Feed

Last updated