Enterprise Security Management: Free Windows centralized audit (1)

Many people may ask this question: how to centralize the logs generated by Event Viewer on different computers? Because Microsoft solution does not provide this function, we used to use only third-party products. However, the now released Windows Server 2008 and windows Vista make it possible to centralize logging. If you do not have Windows Server 2008 or windows Vista, you don't have to worry about it, because Microsoft's centralized log management function is also backward compatible with Windows Server 3 and Windows XP clients. Yes, as long as you have Windows Server 2008 or windows Vista, you can perform centralized log management for Windows computers.

Computer requirements and configurations for centralized log management

Any Windows Server 2008 or windows Vista can be your centralized log computer, which means that, all logs configured on Windows Server 2008, Windows Server 2003, Windows Vista, Windows XP, and other computers can be sent to the centralized log computer for one-stop processing.

If you want to use your Windows Server 2008 or windows Vista to process logs in a centralized manner, you do not need to do too much work, but you must at least configure your computer to support logs, you can run some commands from the promoted command prompt.

Note:

When User Account Control is enabled, the command prompt must be upgraded.

The first command you need to run will create Remote Management on the computer, which is the following command:

winrm qc

This command will generate a response message, telling you that some tasks need to be executed by the system. You only need to confirm "Yes". This information can be seen in figure 1.

Note:

If you use-q switch at the end of the command, the command and action are automatically executed quietly.

Figure 1: configure remote management on a Windows Vista computer

When you enter Y to make the changes, the result is immediately displayed, indicating that the operation is successful.

The second command will configure the Event Collector service. This command is similar, but can control the Event Collector service:

wecutil qc /q

Once again, you will receive the confirmation message for successful operation.

Computer requirements and configurations for centralized log management

If you use Windows Server 2008 or Windows Vista as the source computer, you only need to run a command to make the computer ready to send information to the central log computer at any time, the command used is the same as the command used to install the remote manager described above:

winrm qc –q

If you are using Windows Server 2003 or XP, you will need to download and install the Forwarding part of Remote Management for the operating system.

Note:

When correctly configuring the log sending function, you must install SP1 on Windows Server 2003 and SP2 on Windows XP.

After installation, run the same remote management configuration string.

winrm qc –q

Note:

You must have administrative permissions to perform this configuration.

You can check the configuration by starting Event Viewer. When Event Viewer is enabled, You need to view the following new Microsoft-Windows-Forwarding/Operational node, as shown in figure 2.

Figure 2: Windows XP forwarding logs in Event Viewer