Remote Logging and Log Management

It’s considered good practice to send log messages to a remote dedicated log host as they happen. This way an attacker can’t get to the logs and change them; an analogy for this is the drop safe used for large bills at convenience stores.

The Windows event logging model cannot be configured to log to remote hosts, since the message formatting relies on the local application that logged the event. As a result, we must find another way to do remote logging.

Remote Logging Using Syslog

The syslog protocol is the de facto standard for remote logging. It’s a UDP-based protocol (udp/514), which does not guarantee delivery.

There are several Windows event log-to-syslog agents available. Generally, they work in the following way:

  • The agent waits for new events to arrive in the event logs.

  • When they do arrive, the agent sends the events as syslog messages to the log hosts. A log host is usually a Unix system running the syslog daemon or a Windows system running a syslog service.

  • The syslog server is often placed on a separate management network in the perimeter.

The syslog client—NTsyslog

When it comes to syslog clients, I recommend using the NTsyslog package developed by Jason R. Rhoads. NTsyslog is an open source (GPL) syslog client. Mr. Rhoads provides both the source code and a precompiled binary at his security-focused Sabernet web site ( ).

NTsyslog runs as a service. It’s installed by copying the executable ( ...

Get Securing Windows NT/2000 Servers for the Internet now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.