WELA/website/docs/index.md

hide

hide
navigation toc

{ .hb-logo }

WELA (Windows Event Log Analyzer, ゑ羅), created by Yamato Security, is a tool for auditing Windows event log settings. Windows event logs are a vital source of information for DFIR — WELA helps you make sure you are actually recording the events that matter.

[Get Started :material-rocket-launch:](getting-started/index.md){ .md-button .md-button--primary } [Command Reference :material-console:](commands/index.md){ .md-button } [View on GitHub :fontawesome-brands-github:](https://github.com/Yamato-Security/WELA){ .md-button }

---

Why WELA?

• :material-clipboard-check:{ .lg .middle } Audit log policy settings

  ---

  Audit your Windows event log audit policy settings to confirm the right events are being logged.

• :material-book-check:{ .lg .middle } Based on guidelines

  ---

  Checks against the major Windows event log audit configuration guidelines.

• :material-shield-search:{ .lg .middle } Sigma detectability

  ---

  Evaluates your settings against real-world Sigma rule detectability — will your logs actually catch attacks?

• :material-file-cog:{ .lg .middle } File-size auditing

  ---

  Audits Windows event log file sizes and suggests recommended sizes.

• :material-cog-play:{ .lg .middle } Auto-configure

  ---

  Apply the recommended audit policy and log file sizes with the configure command.

• :material-chart-box:{ .lg .middle } Flexible output

  ---

  View results in the terminal, a GUI, a table, or as a MITRE ATT&CK Navigator heatmap.

Quick links

• :material-book-open-variant: New here?

  Start with the Overview, then head to Getting Started to install and run WELA.

• :material-console-line: Working with the CLI?

  Browse the Command List and the Command Usage reference (audit-settings, audit-filesize, configure, update-rules).

• :material-puzzle: Going further?

  Explore the Companion Projects, the Changelog, and how to contribute.