EnableWindowsLogSettings
EnableWindowsLogSettings is a documentation and batch script repository for configuring Windows event logging to support DFIR, threat hunting, and Sigma detection rules. It addresses the limitation that default Windows logging captures only ~10-20% of available Sigma rules by providing configuration guidance and automation scripts.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | Yamato-Security/EnableWindowsLogSettings |
| Owner | Yamato-Security |
| Primary language | Batchfile |
| License | GPL-3.0 — OSI-approved |
| Stars | 707 |
| Forks | 66 |
| Open issues | 3 |
| Latest release | Unknown |
| Last updated | 2025-10-03 |
| Source | https://github.com/Yamato-Security/EnableWindowsLogSettings |
What EnableWindowsLogSettings is
The project provides batch scripts, PowerShell examples, and Group Policy references to enable comprehensive Windows event logging across Security, PowerShell (module/script block), Sysmon, System, Application, and specialty logs; it increases log retention sizes (default 1–20 MB) and configures audit policies to maximize Sigma rule coverage (claimed ~75% with full configuration).
Get the EnableWindowsLogSettings source
Clone the repository and explore it locally.
git clone https://github.com/Yamato-Security/EnableWindowsLogSettings.gitcd EnableWindowsLogSettings# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Scripts and configurations must be tested on non-production systems that mirror your environment for at least one week to assess log volume, storage impact, and alert noise before production deployment.
- Customization is mandatory: the provided batch script includes placeholders and warnings to adjust log sizes, retention policies, and enabled audits based on organizational risk and storage capacity.
- Group Policy or InTune integration is recommended for enterprises; the scripts provide examples but administrators must adapt them to their management infrastructure.
- Installation of Sysmon is strongly recommended to unlock ~1,382 Sigma rules; without it, Sigma rule coverage plateaus around ~75% with native Windows logging alone.
- Monitor system performance and disk I/O during the initial rollout; excessive logging can degrade endpoint responsiveness, especially on resource-constrained machines.
When to avoid it — and what to weigh
- Need production-grade change management — The scripts are provided as templates requiring customization and testing; they lack built-in rollback, version tracking, or compliance frameworks for regulated environments.
- Deploying without testing on non-production systems — Documentation explicitly warns that log volume and system overhead vary by environment; untested rollout may cause performance issues or excessive storage use.
- Require centralized log ingestion integration out-of-box — This project only configures local event logs; it does not provision log forwarding, SIEM integration, or log aggregation—these must be implemented separately.
- Operating non-Windows environments or Sysmon-free deployments — Sysmon installation is recommended for full coverage; without it or on non-Windows systems, the configuration guidance is inapplicable.
License & commercial use
GPL-3.0 (GNU General Public License v3.0): copyleft license requiring that derivative works and distributed modifications remain under GPL-3.0.
GPL-3.0 is a copyleft license. Batch scripts and documentation may be used internally and for non-commercial DFIR/threat hunting. Any commercial product or service incorporating or derived from this code must open-source modifications under GPL-3.0 and provide source code to users. Requires legal review before commercial deployment or product integration.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
Increasing log volume raises storage and I/O overhead; misconfiguration can degrade endpoint performance or create excessive noise, hindering real alerts. Logs contain sensitive data (commands, authentication events); implement appropriate access controls and retention policies. No security audit or vulnerability disclosure process documented. Scripts should be reviewed before deployment.
Alternatives to consider
WELA (Windows Event Log Auditor)
Also by Yamato Security; provides auditing and validation of log settings rather than scripted configuration, useful for compliance checking and drift detection.
Microsoft Defender for Endpoint / Windows Event Forwarding
Centralized Microsoft solutions for log aggregation and endpoint monitoring; tighter OS integration and commercial support, but requiring licensing and cloud/hybrid infrastructure.
osquery or Kolide Fleet
Cross-platform log and system query frameworks with more flexible deployment and integration options; requires different tooling but may fit hybrid or non-Windows-centric environments.
Build on EnableWindowsLogSettings with DEV.co software developers
Review the EnableWindowsLogSettings documentation, test the configuration scripts in your lab environment, and integrate Hayabusa for Sigma-based threat detection. Contact your security team to plan a phased rollout.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
EnableWindowsLogSettings FAQ
Can I use this in a production environment immediately?
Does this replace SIEM or centralized log forwarding?
What is the relationship between EnableWindowsLogSettings and Hayabusa?
Is Sysmon installation required?
Custom software development services
From first prototype to production, DEV.co delivers software development services around tools like EnableWindowsLogSettings. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.
Strengthen Your Windows Logging Posture
Review the EnableWindowsLogSettings documentation, test the configuration scripts in your lab environment, and integrate Hayabusa for Sigma-based threat detection. Contact your security team to plan a phased rollout.