Remote Logging and Log Management
It’s considered good practice to send log messages to a remote dedicated log host as they happen. This way an attacker can’t get to the logs and change them; an analogy for this is the drop safe used for large bills at convenience stores.
The Windows event logging model cannot be configured to log to remote hosts, since the message formatting relies on the local application that logged the event. As a result, we must find another way to do remote logging.
Remote Logging Using Syslog
syslog protocol is the de facto standard for
remote logging. It’s a UDP-based protocol (udp/514), which does
not guarantee delivery.
There are several Windows event log-to-
agents available. Generally, they work in the following way:
The agent waits for new events to arrive in the event logs.
When they do arrive, the agent sends the events as syslog messages to the log hosts. A log host is usually a Unix system running the
syslogdaemon or a Windows system running a
syslogserver is often placed on a separate management network in the perimeter.
The syslog client—NTsyslog
When it comes to
syslog clients, I recommend
using the NTsyslog
package developed by Jason R. Rhoads. NTsyslog is an open source (GPL)
syslog client. Mr. Rhoads provides both the
source code and a precompiled binary at his security-focused Sabernet
NTsyslog runs as a service. It’s installed by copying the executable ( ...