What is WLS?

The Windows Logging Service (WLS) is a Windows service that forwards event logs, along with user-defined contextual data, to your log server.

Why was WLS created?

WLS was created to fulfill a personal need when doing high-level enterprise forensics. I often found myself asking basic questions like “Did X run on this computer?”. Enabling process auditing was step 1; I had the logs, but now I needed hashes. Finding nothing that could provide this information, I wrote WLS. Over time I’ve added more data sources to WLS in response to malware trends and user requests, with the goal of providing enough data to make decisions.

Why should you use WLS?

WLS provides many of the same features as traditional log forwarding agents, but also adds value by augmenting standard event logs with contextual data, and formatting the logs in a way that is easily parsed. The data is sent with a goal of minimizing redundant log information while adding useful information, and typically has reduced overall log size when compared to other products.

Extra Data

WLS can add data you might collect after an event, before it occurs, and can provide data to support operational awareness.

• Certificates
• Command shell / PowerShell interactive commands
• Devices
• Drives
• File metadata
• File system changes
• File tailing
• Loaded Modules
• Named Pipes
• Performance Counters
• Ports
• Registry changes
• Session information
• Windows Objects
• WMI

Screenshots

WLS (Splunk) Screenshots

Requirements

Microsoft .NET Framework 4.0 Client/Full

Licensing

WLS can be licensed to US entities and some foreign countries. Use the Contact Form to inquire about licensing or any WLS questions. Additional licensing information is available here.