Tag Archives: network

WLS Released

WLS has been released!

New Features

Database alternate location

An alternate DB location can now be specified.

Decoding for provider message IDs

Some Vista+ logs contain values that start with %%. These can now be optionally decoded and added as a field or replace the %% values.

Disk space limits

A minimum disk space may now be specified, and if the disk space falls below the threshold, WLS will stop queuing logs and send a notification directly to the syslog server. Normal behavior will resume when disk space returns above the threshold.

Enhanced network interface logs

Logging of network interfaces on start-up and after a network change now includes more data about each adapter.

Legacy log parsing

Optionally now include the remaining log data from XP logs after all replacement strings have been parsed.

MemberName resolution

When a user is added or removed from a group, the log did not always contain the user name. Now when a log contains MemberSid but not MemberName, WLS will fill-in MemberName.

Workstation IP resolution

Disabling workstation IP resolution for logs containing WorkstationName is now an option.



CommandMonitor now includes the user name associated with each command.


When debugging interactively, output now includes greater detail.


JSON output has been improved.

Rewritten log parsers and db caching

Faster parsers for XP and Vista+. Higher concurrency log processing through the caching database.


SessionMonitor now caches information where applicable to maintain user tracking.

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Configuring WLS – Server Configuration

This is what I intend to be the first of a series of posts on configuring WLS. Configuration before installation is done via the initial.xml file, post-installation configuration changes are done via the registry; the names and basic structure remain the same.

The first and only required change to the initial.xml file is changing the “Network” section to match your environment. Also, only non-default settings need to be set; any missing settings will be set to defaults on start-up by WLS. The term Network was chosen instead of server since it defines a source network and where hosts that meet the definition should send their logs. Multiple networks can be defined, allowing for single configuration deployment across an enterprise and server redundancy in the event a server becomes unreachable for an extended period.

Global network settings

  • FailedSendTimeout: If ALL configured and qualified networks are out of range or connectivity attempts have failed, wait x seconds before retrying.
  • SendAsync: Use asynchronous sockets to send data
  • SocketTimeout: If no data has been sent for X seconds, close the socket

Per-instance network settings

  • The registry key name is how this will be referred to in the logs; name it appropriately.
  • AcceptInvalidCertificates: Allow expired, non matching domains, etc
  • ClientCertificate: Only applicable if UseSSL is enabled.
    • Blank: (default) No client certificate
    • UseLocal: Retrieve the client certificate from the local certifcate store
    • File path to use a certificate on disk
  • IPRange: The IP range that the local host’s IP address MUST fall within to use this “network”
    • Any – Any IPv4 or IPv6 address
    • – Any IPv4 address
    • ::/0 – Any IPv6 address
    • Valid CIDR
    • Min-max IP range
  • LogFormat
    • syslog (default)
    • json
  • Priority: If the hosts IP address falls into multiple ranges, this determines which order to try and use them. If multiple same priority networks qualify, alphabetical order is used.
  • Protocol
    • TCP (default)
    • UDP
  • ServerNameOrIP: The host name or ip address of the destination server
  • ServerPort: The port on the destination server
  • UseSSL: Use SSL when sending logs


Example 1

I run a local Splunk instance for testing and want my logs sent to it regardless of my IP address. I’ll set the IPRange to “Any” to allow any IPv4 or IPv6 source range and define the local server configuration. That’s it, all other values are defaults.


Example 2

I have a work laptop that when used internally, should log directly to the log server without encryption; if it’s taken off-network, it should use an externally visible log server with SSL.

Note: If the laptop obtains an IP in the range defined by “Inside” while off the work network, it will not send data unless the server is available and a connection succeeds; when that fails, it will use the next range – “Outside”.