Documentation forSecurity Event Manager

Configure the Windows audit policy for use with SEM

The Windows audit policy determines the verbosity (or the amount of data) that Windows Security logs on domain controllers and other computers in the domain.

See the Microsoft Technical Documentation website for details about Windows Audit Policy Definitions. These definitions are effective from both a best-practice and compliance standpoint, and are based on customer experience and recommendations from Microsoft.

See Audit Policies and Best Practices for SEM in the SolarWinds Success Center for more information.


Using the Windows Audit Policy with SEM requires:

  • Windows Server 2008 SR or higher
  • Permissions to change the Windows Audit Policy at the domain controller and domain level
  • SolarWinds SEM installation

Windows Audit Policy

The following events and descriptions are adapted from information available on the Microsoft Learn website. You can query relevant articles on Microsoft Learn by searching for audit policy best practice.

Event Description
Audit account logon events Represents user log on or log off instances on a computer logging those events. These events are specifically related to domain logon events and logged in the security log for the related domain controller.
Audit account management The change management events on a computer. These events include all changes made to users, groups and machines.
Audit logon events Represents user log on or log off instances from a computer logging those events. These events are logged in the security log of the local computer onto which the user is logging, even when the user is logging onto the domain using their local computer.
Audit object access Track users accessing objects with their own system access control lists. These objects include files, folders and printers.
Audit policy change Represents instances where local or group policy changed. These changes include user rights assignments, audit policies and trust policies.
Audit privilege use Track users accessing objects based on their privilege level. These objects include files, folders and printers, or any object with its own system access control list defined.
Audit process tracking Logs all instances of process, service, and program starts and stops. This can be useful to track both wanted and unwanted processes, such as AV services and malicious programs.
Audit system events Includes start up and shut down events on the computer logging them, along with events that affect the system’s security. These are operating system events and are only logged locally.

Best practice

The Windows audit policy is defined locally for each computer. SolarWinds recommends using group policy to manage the audit policy at both the domain controller and domain levels.

Set the Windows audit policy

Use the Group Policy Object Editor to set your Windows audit policy settings on desktop systems running at least Windows 8 and servers running at least Windows Server 2008 R2.

See the SEM System Requirements for a list of all supported Windows and Windows Server operating systems.

The following procedure applies to setting up sub-category-level auditing.

  1. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Audit > Force Audit Policy Subcategory Settings, and then select enabled.
  2. Change or set the policies in Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    When enabling the Force Audit Policy Subcategory option, set the subcategory auditing to enabled and the category-level auditing will be disabled.

Default Domain Controllers Policy

Select Success and Failure for all policies except:

  • Audit object access
  • Audit privilege use

Default Domain Policy

The Default Domain Policy applies to all computers on your domain except your domain controllers. For this policy, select Success and Failure for:

  • Audit account logon events
  • Audit account management
  • Audit logon events
  • Audit policy change
  • Audit system events

You can also select Success and Failure for audit process tracking critical processes (such as the AV service) or unauthorized programs (such as games or malicious executable files).

Enabling auditing at the audit level increases the number of events in the system logs. As a result, your SEM database will quickly expand as it collects these logs.

Similarly, there could be bandwidth implications as well. This is dependent upon your network traffic volume and bandwidth capacity. Since Agent traffic is transmitted to the Manager as a real-time trickle of data, bandwidth impact is minimal.

SolarWinds recommends meeting PCI Auditing. However, this may be applicable to other auditing as well.

Category or Subcategory Setting
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change Success and Failure
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
Object access
File System Success and Failure
Registry Success and Failure
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share Success and Failure
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non-Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events Success and Failure
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Failure
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure