New Tool For Centralizing Windows Logs

Microsoft has always overlooked centralized logging in Windows. To date, the most effective way to centralize Windows Event Logs has been through event log to syslog tools and custom agents for the various SIEM solutions. But now there's a new kid on the block with a full-featured agent that goes beyond what's previously been offered for free.I've been receiving press releases from CorreLog for several months, and it was the one that came in on Saturday that caught my eye because I'm a sucker for anything that helps enterprises centralize logs from Windows systems. In the past, I've made recommendations for Snare and Lasso, but the one feature they've lacked is the ability to send entries from a text-based log file -- logs like those from DHCP, IIS, and the Windows firewall.

Before you say it, I know there are other tools you can deploy to do this. Epilog and Logger are two that come to mind, but that's an additional piece of software you have install and configure. What I've been on the lookout for is an event log to syslog agent that did both, and that's exactly what CorreLog Windows Tool Set (WTS) does...and quite well, I should add, based on my limited testing.

I set up a virtual machine running Windows XP, installed the agent, and configured it to send both the event logs and the logs from the Windows firewall. The initial configuration is via a GUI where you are given only an option or two, like IP address and port of the syslog server. More advanced configuration is accomplished via a text-based configuration file.

CorreLog WTS is very simple to set up, and you can prefilter events so only the events you're interested in get sent. You can also set the priority and logging facility level. All in all, it's a very customizable freebie that gets the job done.

What sets the CorreLog WTS apart from others, besides doing both event logs and text-based logs, is it includes additional tools for sending logs via batch files, a syslog event generator to make sure the syslog server is receiving logs from your system, and remote configuration so you can manage your centralized logging agents remotely. There is also a tunneling tool that can send syslog and SNMP traps via encrypted TCP, but the manual indicates it only works if you are also using a CorreLog Server.

So you can see why I'm excited about this tool. It's going to help a few of my clients that have been looking for an easier solution to help them centralize their Windows logs for compliance reasons.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.