Monitoring Channel (Crimson) Event Logs on MS Windows
About Crimson Channel Logs
Windows includes two categories of event logs: Windows logs, and Applications and Services logs. The Windows logs category includes the event logs available in previous versions of Windows: Application, Security, and System event logs. It also includes two new logs: the Setup log and the ForwardedEvents log. Windows logs are intended to store events from legacy applications and events that apply to the entire system.
Applications and Services logs are a new category of event logs. These logs store events from a single application or component rather than events that might have system-wide impact. This new category of event logs is referred to as an application's crimson channel.
The Applications and Services logs category includes four subtypes: Admin, Operational, Analytic, and Debug logs. Events in Admin logs are of particular interest if you use event log records to troubleshoot problems. Events in the Admin log should provide you with guidance about how to respond to the events. Events in the Operational log are also useful, but may require more interpretation. Admin and Debug logs aren't as user friendly. Analytic logs (which by default are hidden and disabled) store events that trace an issue, and often a high volume of events are logged. Debug logs are used by developers when debugging applications.
Configuring Endpoint Event Monitor for Crimson Logs
From the RocketCyber Dashboard click on the Configure button on the Endpoint Event Log Monitor App Card.
In the App Configuration Dialog, click on Add Custom Event From Channel
In the Custom Event From Channel pane, enter the required information:
- EventID - The numeric ID of the specific event you want to monitor
- Description - A description of the event
- Channel Path - The path of the event channel you wish to log
- Verdict - The verdict of the log type (informational, suspicious, malicious)
- Query - Leave blank. Reserved for future use
Click Update or Create to save the channel event to the configuration. Once the configuration has been saved the agents will be notified of the updated configuration and will begin monitoring for the updated event list.