Auditing commands run by a user on Windows system with agent installed

[Vuk Kadija]

Hello,

I was looking through documentation and tested auditing commands by user on Linux system, CentOS8.

Is there a way to do a same thing on Windows systems maybe? Could not find anything related.

Tnx

Vuk

[Dario Menten]

Hello Vuk,
It is a pleasure knowing you are making use of Wazuh capabilities.
As you may know, Wazuh is able to read the Windows Event Log and extract any event from there and convert it into a Wazuh Alert. You can learn more about it with the documentation: How to collect Windows logs
With this in mind, you can audit when a user is executing commands, for instance, this Microsoft documentation explains how to do it: Command line process auditing
Another great tool for this is Sysmon which can help you track some other events like process creation, process tampering, etc. With Wazuh you can monitor the Sysmon events, and this is a full guide on how to achieve it: Using Wazuh to monitor Sysmon Events
As you can see, you have many ways of doing it.
I hope this will help you get your goal.
Kind regards.

​