Centralized Logs for Workstations

The topic of centralized workstation logs came up recently again in a discussion about PCI compliance. I soon realized not many people are aware of the new Windows remote management options. Any Vista or Windows Server 2008 can provide the centralized log daemon. The latest versions of Windows including XP and Server 2003 can forward events.

Here’s the update for XP and 2003:

http://support.microsoft.com/kb/936059

And here are the steps to take with a command prompt to enable centralized logs from a workstation

1) Setup remote management
> winrm qc

2) Setup the event collector service
> wecutil qc /q

The event viewer on the workstation will now show “Microsoft-Windows-Forwarding/Operational”

Now just configure the “subscriptions” on your centralized daemon and you can collect all the workstation logs you want. Here’s an example:

http://support.microsoft.com/kb/950257

I also have to point out that workstations have an incredible amount of spare space on the drive these days. An argument easily could be made for requiring logs to be configured and maintained for a year locally instead of centralized. Either way, workstation logs are more in scope for compliance than ever before.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.