Configuring the Windows Audit Policy

On each machine that sends Windows Events, configure the Windows Audit Policy.

To configure the windows audit:

1. From the Start menu, select: Settings > Control Panel > Administrative Tools > Local Security Policy > Local Policies > Audit Policy.
2. Make sure that the Security Setting for the Policy Audit Logon Events is set to Failure. If not, double-click it and select Failure.
3. Open a command prompt window and go to this path:
   C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin.

   On 64 bit computers, the path starts with C:\Program files (x86).

4. Run these commands:

   windowEventToCPLog -l <ipaddr>, where <ipaddr> is the IP address of the Log Server that receives the Windows Events.

   windowEventToCPLog -a <ipaddr>, where <ipaddr> is the IP address of each machine that sends Windows Events.

   windowEventToCPLog -s, where you are prompted for an administrator name and the administrator password that to be registered with the windowEventToCPLog service.

   The administrator that runs the windowEventToCPLog service must have permissions to access and read logs from the IP addressed defined in this procedure. This is the IP address of the computer that sends Windows events.

5. When you configure windowEventToCPLog to read Windows events from a remote machine, log in as the administrator. This makes sure that the administrator can access remote computer events.
6. Use the Microsoft Event Viewer to read the events from the remote machine.