New feature request for logging

I really enjoy your product - as a Security professional, there are neat features in this that the normal firewalls and logging do not provide out of Windows ! … but you knew that :smile:

What I would love to see, however, are two things:

  • more comprehensive logging of ALL events and/or observed traffic (suspect that’s in the DB, but not sure)
  • an option to be able to host the logs/DB in a centralized server (Syslog style) so it can be analyzed and examined by security people managing the box for potential IoCs
1 Like

I’ve seen a lot of similar requests so the developers will be very aware of your requests.

All events

I haven’t seen anything that suggests “ALL events” are being logged at present. Windows does that.

All traffic

By “ALL … observed traffic” do you mean on the local segment or all traffic on the network - like these requests?

Centralized logging, monitoring and reporting is a popular request

ALL TRAFFIC -> think security logs, needs to at least have all the traffic flows, if not actual trtaffic/packets, to be able to backtrack a problem…

2 Likes

GlassWire doesn’t keep all packets which is why there are suggestions for Pcap/WinpCAP, Wireshark and port mirroring:

1 Like

Hey, appreciate that this is nearly a year later, but PCAP/WinPCAP/Wireshark are not what people are referring to. Perhaps the initial response isn’t clear.

What people are asking is the ability to export the actions taken by Glasswire into some form of log, be it flat file (so it can be read by an agent like OSSEC), Syslog (preferred) or some form of API (generally least preferred). So every time Glasswire detects a malicious programme using the Virus Total API, or detects a new device on the network via “Things”, or even just report every IP address/port/url that applications are communicating with.

Logs with this information in can then be ingested into SIEMs (Splunk, QRadar, OSSIM, LogRhythm, etc.) and correlated with other system information/threat intelligence sources. For instance, my last example above could be correlated against indicators of compromise obtained via various threat intelligence services.

It’s important to get the information directly from the endpoint rather than from network devices as they can be bypassed quite easily; the widespread use of TLS/SSL these days being a primary-yet-basic method.

1 Like