If something goes wrong on your Windows 11 computer -- a security breach, a system crash, or suspicious activity -- logs are how you figure out what happened. Without proper logging and monitoring enabled, you're flying blind. You won't know when something went wrong, how it happened, or what was affected.

This guide shows you how to enable and configure the essential Windows 11 logs so you always have visibility into what's happening on your business computers.

Why Windows 11 Logging Matters for Your Business

Logging isn't just for IT professionals troubleshooting errors. For small businesses, proper logging serves three critical purposes:

  1. Security detection -- Logs reveal unauthorized login attempts, suspicious file access, and potential malware activity before they become full-blown incidents
  2. Compliance requirements -- Many industries require audit logs as part of regulatory compliance (HIPAA, PCI DSS, SOC 2)
  3. Incident response -- When something does go wrong, logs are the forensic evidence you need to understand and recover from the event

Understanding Windows Event Viewer

Windows 11 has a built-in tool called Event Viewer that collects and displays system logs. It's already running on your computer -- you just need to know how to access and configure it.

How to Open Event Viewer

  1. Press Win + S and type "Event Viewer"
  2. Click Event Viewer from the search results
  3. You'll see a tree structure on the left with different log categories

The main log categories you should monitor are:

  • Windows Logs → Security -- Login attempts, permission changes, account lockouts
  • Windows Logs → System -- Hardware issues, driver problems, service failures
  • Windows Logs → Application -- Software crashes, application errors
  • Applications and Services Logs → Microsoft → Windows → Windows Defender -- Antivirus detection events

Enable Advanced Security Auditing

By default, Windows 11 doesn't log everything. To get meaningful security visibility, you need to enable advanced audit policies.

Step-by-Step: Enable Audit Policies

  1. Press Win + R, type secpol.msc, and press Enter to open Local Security Policy
  2. Navigate to Local Policies → Audit Policy
  3. Enable the following policies (set both Success and Failure for each):
    • Audit account logon events -- Tracks every login attempt
    • Audit logon events -- Tracks local and remote logins
    • Audit account management -- Tracks user account creation, deletion, and changes
    • Audit object access -- Tracks file and folder access
    • Audit policy change -- Tracks changes to security policies
    • Audit privilege use -- Tracks use of administrator privileges
  4. Click OK to save each policy change

Important Note

On Windows 11 Home edition, secpol.msc is not available. You'll need Windows 11 Pro, Enterprise, or Education to access Local Security Policy. For Home edition, you can use the Group Policy Editor workaround or configure basic auditing through the Registry Editor.

Configure Advanced Audit Policies

For more granular control, use the Advanced Audit Policy Configuration:

  1. Open secpol.msc
  2. Navigate to Advanced Audit Policy Configuration → System Audit Policies
  3. Configure these critical subcategories:
    • Account Logon → Credential Validation -- Audit Success and Failure
    • Logon/Logoff → Logon -- Audit Success and Failure
    • Logon/Logoff → Logoff -- Audit Success
    • Account Management → User Account Management -- Audit Success and Failure
    • Object Access → File System -- Audit Success and Failure
    • Policy Change → Audit Policy Change -- Audit Success
    • System → Security System Extension -- Audit Success and Failure

Set Up Log Size and Retention

Windows logs have a default maximum size, and once they're full, old entries get overwritten. For security purposes, you want logs to be large enough to maintain a useful history.

  1. In Event Viewer, right-click on Security under Windows Logs
  2. Select Properties
  3. Set Maximum log size to at least 1 GB (1,048,576 KB) for security logs
  4. Under "When maximum event log size is reached," select "Archive the log when full, do not overwrite events"
  5. Repeat for System and Application logs (256 MB is usually sufficient for these)

Enable PowerShell Logging

Attackers frequently use PowerShell to execute malicious commands. Enabling PowerShell logging gives you visibility into every command executed on your system.

  1. Press Win + R, type gpedit.msc, and press Enter
  2. Navigate to Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell
  3. Enable these three policies:
    • Turn on Module Logging -- Set to Enabled, then click Show and add * to log all modules
    • Turn on PowerShell Script Block Logging -- Set to Enabled
    • Turn on PowerShell Transcription -- Set to Enabled, specify an output directory like C:\PSTranscripts

Monitor Windows Defender Logs

Windows Defender is your built-in antivirus, and its logs tell you about threats detected, quarantined files, and scan results.

  1. Open Event Viewer
  2. Navigate to Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational
  3. Key Event IDs to watch:
    • 1006 -- Malware or potentially unwanted software detected
    • 1007 -- Action taken against malware
    • 1116 -- Real-time protection detected malware
    • 1117 -- Real-time protection took action against malware
    • 5001 -- Real-time protection disabled (should alert immediately)

Key Security Event IDs to Monitor

Not all log entries are equally important. Focus on these critical Windows Security Event IDs:

  • 4624 -- Successful logon
  • 4625 -- Failed logon (multiple failures may indicate a brute-force attack)
  • 4648 -- Logon attempted using explicit credentials
  • 4720 -- New user account created
  • 4722 -- User account enabled
  • 4724 -- Password reset attempted
  • 4732 -- Member added to security group
  • 4738 -- User account changed
  • 4740 -- User account locked out
  • 1102 -- Audit log was cleared (potential evidence tampering)

Red Flag Alert

If you see Event ID 1102 (audit log cleared) and you didn't do it, treat this as a serious security incident. Attackers often clear logs to cover their tracks.

Set Up Basic Alerts with Task Scheduler

You can configure Windows to alert you when specific events occur:

  1. In Event Viewer, find the event you want to monitor
  2. Right-click the event and select "Attach Task To This Event"
  3. Choose to send an email or display a message when the event occurs
  4. Priority events to create alerts for:
    • Multiple failed logins (Event 4625)
    • New user accounts created (Event 4720)
    • Audit logs cleared (Event 1102)
    • Windows Defender disabled (Event 5001)

What to Do Next

Enabling logs is the first step. To truly stay on top of your security:

  • Review security logs weekly for unusual patterns
  • Look for failed login attempts from unfamiliar sources
  • Verify no unexpected user accounts have been created
  • Ensure Windows Defender remains active and up to date
  • Back up your logs to a separate location regularly

Continue Securing Your Windows 11 Systems

Logging gives you visibility, but a complete security setup requires several layers. Continue with our other DIY cybersecurity guides:

For businesses that want professional monitoring without the manual effort, managed security services can centralize your logs and alert you to threats in real time. Talk to our team about setting up automated monitoring for your organization.