New

• CommandMonitor support for wmic.exe
  • Ability to add other binaries
• FileMetadata
  • File buffer size
  • File size and time limits for calculating hashes and entropy
• FileMonitor special folder support which follows the interactive user
• Heartbeat
  • Configurable interval. Reports DBSize, ConnectionErrors, LogsWLSError, WLSVersion
• Log filtering
  • Per log route destination
• LogFormats
  • All formats are now defined by the configuration
  • Custom formats can be added, existing ones changed, etc.
• LogRouting
  • Simultaneous multi-destination sending of logs with per-server log formatting
• Performance counters
  • Filtering by condition
• ShowEntryTypeDescription
• ShowLogonTypeDescription
  • Defaults to True for legacy compatibility
• TrackHashes
  • Tracking of hashes to set the NewHash=True flag can be enabled / disabled
    • Tracking hashes takes space in the database and time during database writes

Changes

• CertMonitor – FullReportInterval for interval based reporting
• Entropy and hash calculations integrated to reduce file iterations and support timeouts
• FileData logs the CreatorProcessName and CreatorProcessId
• FileMetadata searches for non-rooted files iterating through the PATH variables
• MaxLogLength now simply truncates the log if it is oversize

Fixes

• Command Monitor – Fixed bug with greater than 16-bit PIDs
• ConfigurationHash calculation
• IPv6 parsing when specified as a log destination

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.