We are looking to have our Windows EC2 (AWS) instances report the Windows security event logs via a cloudy method such as CloudWatch, not a syslog method like WinCollect. We've already reviewed all the documentation available, and it does have some gaps.
Has anyone here had any success with this? What have you done that has worked? Here are our questions:
- Is there a standard best practice for this?
- In which format should/will the logs be?
- Should we use a gateway log source?
- If so, what log source identifier pattern should we use?
- Should we extract the original event?
We're contemplating having a single log source to pull in all the events directly from Cloudwatch, not as a gateway. Rules and searches would be unable to distinguish between instances by log source ID or IP address and would need to use a payload field such as "Computer". Would this be likely to work?
Here's the documentation we've found: