Windows Group Policy

Windows Group Policy allows the centralized management and administration of user and computer accounts in a Microsoft Active Directory environment.

There are several ways Group Policy logs can be acquired.

  • Group Policy Operational logs and Security logs from Windows Event Log

  • Event Tracing for Windows (ETW)

  • File-based logs found in the file system

This topic covers the methods that can be used to collect these logs with NXLog.

The Group Policy Operational logs are displayed in the Operational object under the Applications and Services > Microsoft > Windows > GroupPolicy directory in Event Viewer.

Group Policy stores some events in the Security channel of the Windows Event Log. These events are related to the access, deletion, modification and creation of objects.

Example 1. Collecting Group Policy logs from Windows Event Log

The following configuration uses the im_msvistalog module to collect Group Policy logs from the Security channel. It includes a custom query that will filter for events based on specified EventIDs.

nxlog.conf
<Input in>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Security">
                <Select Path="Security">
                *[System[(EventID=4663 or EventID=5136 or \
                EventID=5137 or EventID=5141)]]
                </Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

The Microsoft-Windows-GroupPolicy provider supplies Group Policy related logs via an event tracing session that can be collected via ETW. It gets the logs from the same source as Windows Event Log provides in the previous example, however the im_etw module is capable of collecting ETW trace data then forwarding it without saving the data to disk, which results in improved efficiency. Also, there are slight differences in the level of verbosity, therefore it is worth considering both options and picking the one best suits your environment.

Example 2. Collecting Group Policy logs via ETW

The following configuration uses the im_etw module to collect Group Policy logs from an ETW provider.

nxlog.conf
<Input in>
    Module      im_etw
    Provider    Microsoft-Windows-GroupPolicy
</Input>

Group Policy stores Group Policy Client Service (GPSVC) and Group Policy Management Console (GPMC) logs, in the %windir%\debug\usermode directory.

Example 3. Collecting Group Policy logs from file

The following configuration uses the im_file module to collect GPMC and GPSVC logs from the above mentioned %windir%\debug\usermode directory. Since these logs are encoded in UTF-16LE, they need to be converted into UTF-8 using the xm_charconv extension module.

nxlog.conf
<Extension _charconv>
    Module    xm_charconv
</Extension>

<Extension _json>
    Module    xm_json
</Extension>

define GroupPolicy /(?x)\w+\((?<PID>[\w\d]{3,4}). \
                    (?<TID>[\w\d]{3,4})\)\s+ \
                    (?<time>[\d\:]+)\s+ \
                    (?<Message>.*)/

<Input in>
    Module    im_file
    File      'C:\Windows\debug\usermode\gpsvc.log'
    File      'C:\Windows\debug\usermode\gpmc.log'
    <Exec>
        #Query the current filename
        if file_name() =~ /^.*\\(.*)$/ $FileName = $1;
         
        # Convert character encoding from UTF-16LE to UTF-8
        $raw_event = convert($raw_event, 'UTF-16LE', 'UTF-8');
         
        #Parse $raw_event
        if $raw_event =~ %GroupPolicy%
         
        #Query year, month and day details from the current system
        $date = year(now()) + "-" + month(now()) + "-" + day(now());
         
        #Parse the $date and $time, merge to $EventTime field
        $EventTime = parsedate($date + " " + $time);
         
        #Delete unnecessary fields
        delete($date);
        delete($time);
         
        #Format to_json();
        to_json();
    </Exec>
</Input>
Input sample (Group Policy Management Console logs)
GPMC(1a1c.1a20) 19:04:10:376 CGPONode::~CGPONode: Destroying object 0x228cf90 \
with nodedeletedflag 0x0
Output sample (Group Policy Management Console logs)
{
  "EventReceivedTime": "2019-07-20T15:06:13.690052+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "FileName": "gpmc.log",
  "Message": "CGPONode::~CGPONode: Destroying object 0x228cf90 with nodedeletedflag 0x0",
  "PID": "1a1c",
  "TID": "1a20",
  "EventTime": "2019-07-20T19:04:10.000000+02:00"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 10 January 2020