How to enable windows security event logs in json format using Auditpol

  audit, security, windows

We are looking to enable security event logging for our Windows based servers using Auditpol tool. If possible, we wouldlike them to be logged in json format. We tried enabling the logs using below commands but it’s not formatted in json or any structured formatting:

"auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable",
"auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable",
"auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable",
"auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable",
"auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable",
"auditpol /set /subcategory:"Logon" /success:enable /failure:enable",
"auditpol /set /subcategory:"Logoff" /success:enable /failure:disable",
"auditpol /set /subcategory:"Account Lockout" /success:enable /failure:disable",
"auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable",
"auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable",
"auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable",
"auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable",
"auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable",
"auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable",
"auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable",
"auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:disable",
"auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:disable",
"auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable",
"auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable",
"auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable",
"auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable",
"auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable",
"auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable",
"auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable",
"auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable",
"auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable",
"auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable",
"auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable"

Is there a way to set the formatting of the logs using Auditpol.exe?

Source: Windows Questions

LEAVE A COMMENT