Linux (and other Unix) systems already have the ability to log events to a syslog server. Windows' equivalent is the Event Log this is not readily parsable with text processing tools and is non-trivial to centralise if you do not have a windows domain.
PowerShell script to install and configure NXLog
Invoke-WebRequest -Uri "https://nxlog.co/system/files/products/files/348/nxlog-ce-2.10.2150.msi" -OutFile "~\nxlog-ce-2.10.2150.msi" Start-Process -Filepath "~\nxlog-ce-2.10.2150.msi" "/passive" -Wait wget "nxlog.conf" -outfile "C:\Program Files (x86)\nxlog\conf\nxlog.conf"
Where nxlog.conf looks like:
Panic Soft define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <extension> Module xm_syslog </extension> <input> Module im_msvistalog <queryxml> <querylist> <query id="0"> <select path="Security">*</select> <select path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational">*</select> </query> </querylist> </queryxml> </input> <output> Module om_udp Host syslogserverurl; Port 514 Exec to_syslog_bsd(); </output> <extension> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </extension> <route> Path in => out </route>
Dynamic firewalling is most effective when based on multi-source analysis. CIS uses syslog as the central point that collates multiple sources' logs for intelligent processing and feeding results of active attacks to firewalls for blocking.
syslog is a standard for message logging
PowerShell is used for automating the install and configuration of NXLog