Published: August 2004

Audit Logging

To enable audit logging on a computer running Windows XP with SP2, do the following:

1. 
   Log on using an account that is a local administrator.
   
2. 
   From the Windows XP desktop, click Start, click Control Panel, click Performance and Maintenance, and then click Administrative Tools.
   
3. 
   In Administrative Tools window, double-click Local Security Policy Shortcut.
   
4. 
   In the console tree of the Local Security Settings snap-in, click Local Policies, and then click Audit Policy.
   
5. 
   In the details pane of the Local Security Settings snap-in, double-click Audit policy change. Select Success and Failure, and then click OK.
   
6. 
   In the details pane of the Local Security Settings snap-in, double-click Audit process tracking. Select Success and Failure, and then click OK.
   
7. 
   Close the Local Security Settings snap-in.
   

Once audit logging is enabled, use the Event Viewer snap-in to view audit events in the security event log.

Windows Firewall uses the following event IDs:

• 
  848 - Displays the startup configuration of Windows Firewall.
  
• 
  849 - Displays an application exception configuration.
  
• 
  850 - Displays a port exception configuration.
  
• 
  851 - Displays a change made to the application exceptions list.
  
• 
  852 - Displays a change made to the port exceptions list.
  
• 
  853 - Displays a change made to the Windows Firewall operation mode.
  
• 
  854 - Displays a change made to Windows Firewall logging settings.
  
• 
  855 - Displays a change made to ICMP settings.
  
• 
  856 - Displays a change made to the Prohibit unicast response to multicast or broadcast requests setting.
  
• 
  857 - Displays a change made to the Remote Administration setting.
  
• 
  860 - Displays a change made to a different profile.
  
• 
  861 - Displays an application attempting to listen for incoming traffic.