# Operating System Monitoring Astral provides native support for monitoring **Windows and Linux operating systems**, enabling the collection and analysis of security-relevant activity at the host level. This capability allows Astral to capture events generated by the operating system itself, providing visibility into user activity, process execution, system changes, and other behaviors that are critical for detecting and investigating security incidents. On Windows systems, Astral ingests operating system events related to authentication, authorization, account management, process and service activity, and system configuration changes. These events provide insight into potential threats such as unauthorized access, privilege misuse, persistence mechanisms, and suspicious execution behavior. On Linux systems, Astral monitors operating system logs and events that reflect user actions, system processes, privilege escalation attempts, and changes to critical system components. This visibility supports the detection of anomalous behavior, misuse of administrative privileges, and indicators of compromise within Linux-based environments. All operating system events collected from Windows and Linux are processed through Astral’s unified ingestion and analysis pipeline. Events are analyzed, normalized, and correlated with data from other sources such as network monitoring, API-based integrations, and external risk signals. By integrating host-level telemetry into the SIEM, Astral enables accurate detection, contextual investigation, and coordinated response through Inopli’s Response and RPA capabilities, ensuring comprehensive coverage across endpoint and infrastructure layers. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.inopli.com/astral/data-ingestion/log-sources/operating-system-monitoring.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.