What2Log
Author: Stefan Waldvogel
Logging is complex, What2Log tells you more about logging
Overview
If you ever worked with a SIEM or an EDR, you might have a problem. The SIEM does have too many logs, or your machines do not log the wanted things.
What2Log is a small website, and you get the commands for Windows 10 and Linux Ubuntu. With these commands, you can set up your OS correctly and log the wanted events.
Link
www.what2log.com/
Let us have a deeper look.
The project is growing, and right now, the website offers three main features: "The Logs:, "OS Tools" and "The Log Pile".
The Logs
If you ever worked with a SIEM or an EDR, you might have a problem. The SIEM does have too many logs, or your machines do not log the wanted things.
What2Log is a small website, and you get the commands for Windows 10 and Linux Ubuntu. With these commands, you can set up your OS correctly and log the wanted events.
Link
www.what2log.com/
Let us have a deeper look.
The project is growing, and right now, the website offers three main features: "The Logs:, "OS Tools" and "The Log Pile".
The Logs
The left side offers different areas, and for Windows 10, it is Minimum, Ideal, and Extreme. The right area has two areas. The CLI/PowerShell commands and how to change a setting via the GUI.
On the top is a short introduction to why you need this setting. Windows 10 does not log user login, but for auditing, this log is for sure wanted.
On the top is a short introduction to why you need this setting. Windows 10 does not log user login, but for auditing, this log is for sure wanted.
The next area is about commands. These commands are in PowerShell, and you see the related eventID. Sometimes you get an interview, and the question could be: What are the codes for login and failed login? (It is 4624 and 4625)
Knowing a weird number is fine, but knowing how to enable this logging type is much better.
On the right side is a function called "Add to log pile." It is like a shop, and you can add wanted settings to a shopping cart. Later, we will see this in action.
Knowing a weird number is fine, but knowing how to enable this logging type is much better.
On the right side is a function called "Add to log pile." It is like a shop, and you can add wanted settings to a shopping cart. Later, we will see this in action.
On the bottom is the GUI path with more information. Most admins use the GUI way to try a setting, and if it works, they use automation and PowerShell commands.
OS Tools
This area is helpful because you learn different ways to activate logging. We used PowerShell, but there are at least five more ways to deal with logs in Windows.
The right side explains each OS tool in detail.
Sysmon is not pre-installed but a potent tool.
This area is helpful because you learn different ways to activate logging. We used PowerShell, but there are at least five more ways to deal with logs in Windows.
The right side explains each OS tool in detail.
Sysmon is not pre-installed but a potent tool.
The Log Pile
The most remarkable feature of this website is the Log Pile. Select the thing you want and download the Powershell/Bash script.
The most remarkable feature of this website is the Log Pile. Select the thing you want and download the Powershell/Bash script.
You have two options to save the commands. Click "Get My Scripts," and you get your scripts. If you pick "Save to file," it creates a PowerShell file for you, and you can run it on your machine.
If you do this in a company, you do not trust a "random" command, and therefore you might copy the command.
If you do this in a company, you do not trust a "random" command, and therefore you might copy the command.
Conclusion
What2Log is a tiny website but unique. You can set up your Windows clients very fast, and your EDR or SIEM gets all the wanted logs.
What2Log is a tiny website but unique. You can set up your Windows clients very fast, and your EDR or SIEM gets all the wanted logs.
© 2021. This work is licensed under a CC BY-SA 4.0 license