Does Whids have a separate channel or place to store events and logs?

0xrawsec / whids

Open Source EDR for Windows

https://rawsec.lu

GNU Affero General Public License v3.0

1.14k stars 138 forks source link

Does Whids have a separate channel or place to store events and logs? #134

Open thomasxm opened 1 year ago

thomasxm commented 1 year ago

Does Whids have a separate channel or place to store events and logs? Like Sysmon is stored under Application and Services/ Windows / Sysmon / Operational. Do we have a place where Whids store all its logs matched its rules?

qjerome commented 1 year ago

Hello @thomasxmeng,

No, it does not send the logs to a dedicated log channel. However, you can find the output of its detections inside WHIDS installation directory C:\Program Files\Whids\. If you didn't change the setting, the logs matching your rules is configured in setting:

  # Forwarder's logging configuration
  [forwarder.logging]

    # Directory used to store logs
    dir = "C:\\Program Files\\Whids\\Logs\\Alerts"