Practical Implementation of Syslog in Mixed Windows Environments for Secure Centralized Audit Loggin

Secure system logging is a cornerstone of a well-designed layered network security policy. Collection and timely analysis of system auditing, event and security logs is critical to ensuring that network security personnel can effectively audit the network and its components for evidence of many types of security events. One of the frustrations for systems administrators working in a Windows or mixed Windows and Unix-based operating system environment is the paucity of centralized logging tools. All Unix based operating systems have implementations of the Syslog protocol, which facilitates the centralized remote collection of system messages from network devices, workstations and servers. Windows operating systems in contrast record operating system and process auditing data to the system event logs via the Windows Event log service. The Windows Event viewer application offers only basic functionality and is inadequate for monitoring the audit log files of any medium to large size network. In this paper, I survey some of the options available to access the Windows Event log and demonstrate how to implement a versatile centralized remote logging solution using a commercially available Win32 implementation of the Syslog protocol.