WELA/README.md

WELA (Windows Event Log Auditor) ゑ羅

[ English ] | [日本語]

---

About WELA

WELA (Windows Event Log Analyzer, ゑ羅) is a tool designed to audit Windows Event Log settings and log file sizes. Windows Event Logs play a vital role in Digital Forensics and Incident Response (DFIR), providing essential insights into system activity and security events. However, default configurations often pose serious challenges—including insufficient log sizes, suboptimal audit policies, and detection blind spots—that can undermine effective incident response and forensic investigations. WELA is being developed to assess these settings and offer practical recommendations for improvement, helping organizations strengthen their visibility and readiness in the face of security incidents.

Companion Projects

• EnableWindowsLogSettings A guide for Windows Event Log settings.
• EventLog-Baseline-Guide A guide to creating a baseline of Windows Event Logs Audit Settings.
• WELA-RulesGenerator A tool for generating Sigma rules from Windows Event Log settings.

Table of Contents

• About WELA
• Companion Projects
• Table of Contents
• Screenshots
• Features
• Downloads
• Command List
• Contribution
• Bug Submission
• License
• Contributors
• Acknowledgements
• Twitter

Screenshots

Startup

audit-settings (stdout)

audit-settings (gui)

audit-settings (table)

audit-filesize

Features

Prerequisites

• PowerShell 5.1+
• Run PowerShell with Administrator privileges

Downloads

Please download the latest stable version of WELA from the Releases page.

Running WELA

1. Unzip the release zip file.
2. Open PowerShell with Administrator privileges.
3. ./WELA.ps1 help to run WELA.

Command List

• audit-settings: Audit Windows Event Log settings
• audit-filesize: Audit Windows Event Log file sizes
• update-rules : Update Sigma contents in config directory

Command Usage

audit-settings

audit-filesize

update-rules

Other Windows Event Log Audit Related Resources

• Audit Policy Recommendations
• Windows event logging and forwarding
• A Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why

Contribution

We would love any form of contribution. Pull requests, rule creation and sample logs are the best, but feature requests notifying us of bugs, etc... are also very welcome.

At the least, if you like our tools and resources, then please give us a star on GitHub and show your support!

Bug Submission

• Please submit any bugs you find here.
• This project is currently actively maintained, and we are happy to fix any bugs reported.

License

• WELA is released under MIT License

Contributors

• Fukusuke Takahashi (core developer)
• Zach Mathis (project leader, tool design, testing, etc...) (@yamatosecurity)

Twitter

You can receive the latest news about WELA, rule updates, other Yamato Security tools, etc... by following us on Twitter at @SecurityYamato.