Audit Policy Settings
Audit Policy Settings overview
System event logs are important part of RdpGuard detection engines, it is strongly recommended to
enable audit for successful and failed logon events.
The following engines depend on audit of failed logon events:
The following features depend on audit of successful logon events:
Please check out instructions below to learn more on adjusting audit settings
Configure Audit Policy Settings via Local Security Policy
1. Open the Local Security Policy editor by typing secpol.msc in the Run dialog box
(press the Windows key + R to open the Run dialog box).
You can open the Local Security Policy editor by entering "secpol.msc" into the Run dialog box.
The Local Security Policy snap-in will open:
Local Security Policy snap-in
2. In the left pane of the Local Security Policy editor, navigate to
Security Settings, Advanced Audit Policy Configuration, Audit Policies, Logon/Logoff.
3. In the right pane of the Local Security Policy editor, double-click Audit Logon
The Audit logon Properties dialog will open:
The Audit logon Properties dialog.
4. Check the Success and Failure boxes
under Audit these attempts
5. Click OK to save the changes.
The Audit Policy should look like below:
Configured Audit Policy
Configure Audit Policy Settings via CLI using AuditPol
1. Start Command Prompt (cmd.exe) as Administrator
2. Type the following command and press Enter
auditpol /set /subcategory:Logon /success:enable /failure:enable
3. You should see the following message:
The command was successfully executed.
How to Enable Audit for Failed and Successful Logon events