On The Importance of Centralized Windows Event Logging

I was just catching up on my reading on Technorati and came across this article that details the ways attackers can cover their tracks upon compromising a Windows server.  This article should server as a warning: if your logs are not moved off to a central server, you will lose visibility and key evidence on attacks.  This applies to any type of system, whether Windows, Linux, BSD or any other UNIX OS.

I strongly encourage the practice of centralizing logs to a hardened log server.  For Windows, there are a bunch of good applications that will export Windows Event Logs out to syslog.  I recently took a at logging Windows Events to a syslog server using Snare.

It is important to note that in the event of a successful compromise, the attacker will likely still disable logging and auditing, which will probably cause the stream of logs to the syslog server to cease.  The difference, though, is that the events which were captured during the attack remain on the log server, despite the attacker having deleted the local logs.  In a better case, the attacker does not disable logging and auditing first, opting to clear the event logs later in the attack, providng more evidence in the centralized logs of what was accessed or modified by the attacker.