What is WLS?
The Windows Logging Service (WLS) is a Windows service that forwards event logs, along with user-defined contextual data, to your log server.
Why was WLS created?
WLS was created to fulfill a personal need when doing high-level enterprise forensics. I often found myself asking basic questions like “Did X run on this computer?”. Enabling process auditing was step 1; I had the logs, but now I needed hashes. Finding nothing that could provide this information, I wrote WLS. Over time I’ve added more data sources to WLS in response to malware trends and user requests, with the goal of providing enough data to make decisions.
Why should you use WLS?
WLS provides many of the same features as traditional log forwarding agents, but also adds value by augmenting standard event logs with contextual data, and formatting the logs in a way that is easily parsed. The data is sent with a goal of minimizing redundant log information while adding useful information, and typically has reduced overall log size when compared to other products.
WLS can add data you might collect after an event, before it occurs, and can provide data to support operational awareness.
- Command shell / PowerShell interactive commands
- File metadata
- File system changes
- File tailing
- Loaded Modules
- Named Pipes
- Performance Counters
- Registry changes
- Session information
- Windows Objects
Microsoft .NET Framework 4.0 Client/Full