Toggle Side Panel
Close search
Lesson 1 of 0
In Progress

Practical Lab – Audit Configuration & Log Review

Objectives 

  • Review and configure local auditing policies 
  • Enable or confirm logging mechanisms 
  • Analyze security-relevant logs 
  • Compare auditing mechanisms across Windows, Linux, and macOS 

Section 1: Windows – Local Audit Policies & Logs Tools: 

  • PowerShell 
  • Event Viewer 
  • Local Security Policy 

Step-by-Step 

  1. View Local Audit Policy Settings 
  • powershell 
  • CopyEdit 
  • AuditPol /get /category:* 
  1. Enable Basic Audit Policies (if not already enabled) 
  • powershell 
  • CopyEdit 
  • AuditPol /set /subcategory:”Logon” /success:enable /failure:enable AuditPol /set /subcategory:”Object Access” /success:enable /failure:enable 
  1. Review Security Logs 
  • Open Event Viewer Windows Logs Security 
  • Look for event ID 4624 (Logon Success) or 4625 (Logon Failure)
  1. Alternative using PowerShell 
  • powershell 
  • CopyEdit 
  • Get-EventLog -LogName Security -Newest 20 
  • If this fails, use: 
  • powershell 
  • CopyEdit 
  • Get-WinEvent -LogName Security -MaxEvents 20 

Section 2: Kali Linux (Debian) – Auditd Configuration &  Logs 

Tools: 

  • auditd 
  • auditctl 
  • ausearch 
  • journalctl 

Step-by-Step 

  1. Ensure auditd is Installed & Running 
  • bash 
  • CopyEdit 
  • sudo apt update 
  • sudo apt install auditd 
  • sudo systemctl enable –now auditd 
  1. Check Current Audit Rules 
  • bash 
  • CopyEdit 
  • sudo auditctl -l 
  1. Add Custom Audit Rule (e.g., monitor /etc/passwd
  • bash 
  • CopyEdit 
  • sudo auditctl -w /etc/passwd -p wa -k passwd_watch
  1. Generate Activity (edit passwd) 
  • bash 
  • CopyEdit 
  • sudo nano /etc/passwd 
  1. View Logs 
  • bash 
  • CopyEdit 
  • sudo ausearch -k passwd_watch 
  1. Review General System Logs 
  • bash 
  • CopyEdit 
  • journalctl -xe | grep audit 

Section 3: macOS – Log Review with log show & Console Tools: 

  • Terminal (log command) 
  • Console.app (GUI) 

Step-by-Step 

  1. View Recent Security Logs 
  • bash 
  • CopyEdit 
  • log show –predicate ‘eventMessage contains “auth”‘ –info –last 1h

2. Filter for Specific Actions (e.g., sudo, ssh) 

  • bash 
  • CopyEdit 
  • log show –predicate ‘eventMessage contains “sudo”‘ –info –last 1h

3. Use GUI 

  • Open Console.app → Click “system.log” or “All Messages”
  • Use search bar for terms like “login”, “failed”, “auth”.

Optional Exercise Template for Students 

OS 

Windows 

Windows 

Kali 

macOS 

Tool Command Used Observation 

Default policy summary Found 4625 logon  

failure 

Logged file access 

Found sudo usage

AuditPol AuditPol /get /category:* 
Event Viewer 
auditctl auditctl -w /etc/passwd -p wa 
log log show –predicate 

 

Learning 

  1. What audit settings were disabled by default on each OS? 
  2. Which OS had the most verbose logs? 
  3. How can this be useful in an Incident Response scenario? 
  4. What improvements would you recommend in default audit policies?

You cannot copy content of this page

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .