On The Importance of Centralized Windows Event Logging
I was just catching up on my reading on Technorati and came across this article that details the ways attackers can cover their tracks upon compromising a Windows server. This article should serve as a warning: if your logs are not moved off to a separate server, you will lose visibility and key evidence in the event of a successful attack. This applies to any type of system, whether Windows, Linux, BSD or any other OS.
I strongly encourage the practice of centralizing logs to a hardened log server. For Windows, there are a bunch of good applications that will export Windows Event Logs out to syslog. I recently took a at logging Windows Events to a syslog server using Snare.
It is important to note that in the event of a successful compromise, the attacker will likely still disable logging and auditing, which will cause the stream of logs to the syslog server to cease. The difference, though, is that the events which were captured during the attack remain on the log server, despite the attacker having deleted the local logs. In the ideal case, the attacker does not disable logging and auditing first, opting to clear the event logs later in the attack, providing more evidence in the centralized logs of what was accessed or modified by the attacker.
Categories: Security, Windows, logging Tags: forensic logs, Windows syslog