The Windows Logging Service (WLS) is a Windows service that forwards your event logs, along with user defined contextual data, to your log server.

Each process execution log is augmented with:

• Creator process name
• Command line parameters

and optionally:

• Any file metadata (attributes, MAC times, version, size, etc)
• Digital signature flag
• Entropy
• Environmental variables (per process)
• Hashes (MD5, RIPEMD160, SHA1, SHA256, SHA384, SHA512)
• Zone

WLS can also log the following information to your log server:

• Certificates
• Devices
• Drives
• File system changes – including file metadata
• Listening and connected ports, with associated process information
• Loaded modules – including file metadata
• Mutexes, semaphores, and other Windows objects
• Named pipes
• Optical media used
• Performance counters
• Registry changes
• WMI information

I’ll cover the details of each of these features and configuration examples in upcoming posts, as well as provide example Splunk searches I use for day-to-day operations.

If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.