Configure Event Logger to log all or specific WPF events into specific log source and journal

windows windows-event-log filtering

I want to enable very noisy verbose WFP even for network packet audits. There will be a LOT of events and I'm curious if there is a way:

  1. Specify a completely separate journal for them (not just filter)
  2. Specify a separate log file source (so it wont pollute default)

Solution 1:

As far I know, there is no way to change the destination log of a specific set of events on a Windows system (moreover for the Security event log). However, the question you submit is raising another problem: how are you going to handle/browse/correlate all those events from all your Windows systems ? Because this would be the job of a SIEM ...

What I can advise or suggest :

  • Create a custom view in the Event Viewer in order to easily access those events
  • Create a GPO to change default log size and increase log retention
  • use the Windows Event Forwarding (WEF) feature together with a Windows Event Collector (WEC) server based on the Palantir approach in order to collect ONLY the events you have mentionned. Once the events are collected on the WEC server, you can forward it to any SIEM you want.https://github.com/palantir/windows-event-forwarding

Related

WordPress Issues with Cloud Compute
Purpose of a and include keywords in SPF
Error 403 - Forbidden with symbolic link
Windows Firewall GPO not applying properly
How do I go about VMs in the cloud I only need for specific times?
How to download backup files which is WordPress Data on GCP?
Why does ipa-client-install fail when downloading the CA cert
EC2 instance automatically becomes unavailable - 504 Gateway timeout
Difficulty adding new folder in network root directory
Extended/Logical partition with parted
Apache to serve both static file and webapp
Option to configure TLS version in rsyslog