DevOps as a practice and philosophy includes the communication and teamwork between developers and IT operations. Traditionally, developers and operations are two very different teams who would point fingers when issues would arise with software. DevOps is an attempt to abolish this and has both teams work together. The business result of this is a more stable and reliable software to provide to customers.
Windows event logs are a tool that every cybersecurity and IT professional should have in his or her arsenal. They can be used locally for troubleshooting or centralized for network awareness. When utilized centrally, powerful software known as a Security Information Event Management (SIEM) can be utilized to parse and search log files. But what if you are working locally? Is there an efficient method to do the same? You will find the answer to these questions lies in Microsoft’s most powerful tool belt, Microsoft PowerShell.
One of the more disheartening aspects of log collection within the Windows Operating system are the limited number of out of the box events related to security. It is often desirable to capture any unknown or malicious running processes, capture the source process for outbound connections, identify modifications to files and the registry, and to capture command and PowerShell commands that are run on a particular endpoint. Luckily for systems administrators, Microsoft provides a great tool for this type of log capture within the SysInternals suite called system monitor, or Sysmon.
If you are a systems administrator or a security engineer, it is probable you have a requirement to filter and forward Windows event logs either directly or hierarchically. There are many alternatives available to accomplish this goal, one of which is Windows Event Forwarding (WEF). In this article, you will learn to configure a simple source initiated WEF subscription which utilizes the HTTP protocol to forward events between a client and a collector in a single domain.