DEV.co
Open-Source Observability · Yamato-Security

EnableWindowsLogSettings

EnableWindowsLogSettings is a documentation and batch script repository for configuring Windows event logging to support DFIR, threat hunting, and Sigma detection rules. It addresses the limitation that default Windows logging captures only ~10-20% of available Sigma rules by providing configuration guidance and automation scripts.

Source: GitHub — github.com/Yamato-Security/EnableWindowsLogSettings
707
GitHub stars
66
Forks
Batchfile
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryYamato-Security/EnableWindowsLogSettings
OwnerYamato-Security
Primary languageBatchfile
LicenseGPL-3.0 — OSI-approved
Stars707
Forks66
Open issues3
Latest releaseUnknown
Last updated2025-10-03
Sourcehttps://github.com/Yamato-Security/EnableWindowsLogSettings

What EnableWindowsLogSettings is

The project provides batch scripts, PowerShell examples, and Group Policy references to enable comprehensive Windows event logging across Security, PowerShell (module/script block), Sysmon, System, Application, and specialty logs; it increases log retention sizes (default 1–20 MB) and configures audit policies to maximize Sigma rule coverage (claimed ~75% with full configuration).

Quickstart

Get the EnableWindowsLogSettings source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Yamato-Security/EnableWindowsLogSettings.gitcd EnableWindowsLogSettings# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

DFIR incident response preparation

Pre-configure Windows endpoints with enhanced logging so forensic artifacts are retained and available during post-incident analysis, reducing evidence loss from log rotation.

Sigma-based threat hunting

Enable the specific event log sources and audit policies needed for Hayabusa and other Sigma rule engines to detect threats, moving from 10-20% rule coverage to ~75%.

Enterprise endpoint hardening

Use the configuration guides and Group Policy references as a baseline to roll out consistent, auditable logging across large networks via centralized policy management.

Implementation considerations

  • Scripts and configurations must be tested on non-production systems that mirror your environment for at least one week to assess log volume, storage impact, and alert noise before production deployment.
  • Customization is mandatory: the provided batch script includes placeholders and warnings to adjust log sizes, retention policies, and enabled audits based on organizational risk and storage capacity.
  • Group Policy or InTune integration is recommended for enterprises; the scripts provide examples but administrators must adapt them to their management infrastructure.
  • Installation of Sysmon is strongly recommended to unlock ~1,382 Sigma rules; without it, Sigma rule coverage plateaus around ~75% with native Windows logging alone.
  • Monitor system performance and disk I/O during the initial rollout; excessive logging can degrade endpoint responsiveness, especially on resource-constrained machines.

When to avoid it — and what to weigh

  • Need production-grade change management — The scripts are provided as templates requiring customization and testing; they lack built-in rollback, version tracking, or compliance frameworks for regulated environments.
  • Deploying without testing on non-production systems — Documentation explicitly warns that log volume and system overhead vary by environment; untested rollout may cause performance issues or excessive storage use.
  • Require centralized log ingestion integration out-of-box — This project only configures local event logs; it does not provision log forwarding, SIEM integration, or log aggregation—these must be implemented separately.
  • Operating non-Windows environments or Sysmon-free deployments — Sysmon installation is recommended for full coverage; without it or on non-Windows systems, the configuration guidance is inapplicable.

License & commercial use

GPL-3.0 (GNU General Public License v3.0): copyleft license requiring that derivative works and distributed modifications remain under GPL-3.0.

GPL-3.0 is a copyleft license. Batch scripts and documentation may be used internally and for non-commercial DFIR/threat hunting. Any commercial product or service incorporating or derived from this code must open-source modifications under GPL-3.0 and provide source code to users. Requires legal review before commercial deployment or product integration.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Increasing log volume raises storage and I/O overhead; misconfiguration can degrade endpoint performance or create excessive noise, hindering real alerts. Logs contain sensitive data (commands, authentication events); implement appropriate access controls and retention policies. No security audit or vulnerability disclosure process documented. Scripts should be reviewed before deployment.

Alternatives to consider

WELA (Windows Event Log Auditor)

Also by Yamato Security; provides auditing and validation of log settings rather than scripted configuration, useful for compliance checking and drift detection.

Microsoft Defender for Endpoint / Windows Event Forwarding

Centralized Microsoft solutions for log aggregation and endpoint monitoring; tighter OS integration and commercial support, but requiring licensing and cloud/hybrid infrastructure.

osquery or Kolide Fleet

Cross-platform log and system query frameworks with more flexible deployment and integration options; requires different tooling but may fit hybrid or non-Windows-centric environments.

Software development agency

Build on EnableWindowsLogSettings with DEV.co software developers

Review the EnableWindowsLogSettings documentation, test the configuration scripts in your lab environment, and integrate Hayabusa for Sigma-based threat detection. Contact your security team to plan a phased rollout.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

EnableWindowsLogSettings FAQ

Can I use this in a production environment immediately?
No. Documentation explicitly warns to customize scripts, test on non-production systems for at least a week, and confirm no adverse performance or excessive noise before rolling out. The scripts are templates, not ready-to-deploy solutions.
Does this replace SIEM or centralized log forwarding?
No. This configures local Windows event logs only. You must separately implement log forwarding (Windows Event Forwarding, Splunk, etc.) and SIEM ingestion.
What is the relationship between EnableWindowsLogSettings and Hayabusa?
EnableWindowsLogSettings configures the event logs on endpoints; Hayabusa is a separate tool for parsing and threat-hunting against those logs using Sigma rules. They are complementary but independent.
Is Sysmon installation required?
No, but strongly recommended. With native Windows logging alone, you can achieve ~75% Sigma rule coverage. Sysmon unlocks an additional ~1,382 rules for process creation and system activity detection.

Custom software development services

From first prototype to production, DEV.co delivers software development services around tools like EnableWindowsLogSettings. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.

Strengthen Your Windows Logging Posture

Review the EnableWindowsLogSettings documentation, test the configuration scripts in your lab environment, and integrate Hayabusa for Sigma-based threat detection. Contact your security team to plan a phased rollout.