EventLogCentral is a centralized Windows Event Log management platform for LT Auditor MP. It provides a web-based interface for configuring, managing, and controlling Windows Event Log collection across enterprise environments. The platform works in conjunction with lightweight EventLogAgent clients deployed on monitored Windows systems throughout your environment.
How EventLogCentral works:
EventLogCentral does not directly receive event logs. Instead, it centrally manages client configurations and instructs EventLogAgent clients on:
- Which Windows Event Logs to monitor
- Which security events to collect or suppress
- Which file system activities to audit
- Where collected events should be forwarded
Collected audit and security events are then forwarded by the agents directly to LT Auditor MP or other configured syslog destinations.
Core components:
EventLogCentral Server The central management hub. Hosts the web-based administrative interface where administrators configure audit policies, manage client agents, define forwarding targets, and organize systems into groups. The server runs as a Windows service and is accessible via browser on port 52966 (HTTPS) or 52965 (HTTP).
EventLogAgent A lightweight Windows service deployed on each monitored server or workstation. Each agent periodically connects to EventLogCentral to retrieve its assigned configuration, then locally evaluates Windows events and file activity against the configured rules. Matching events are forwarded directly to LT Auditor MP or the configured syslog destination.
Groups A logical collection of clients that share common audit policies, event log settings, file audit rules, and forwarding configurations. Groups simplify centralized management across large environments โ for example, organizing systems by role such as Domain Controllers, SQL Servers, or File Servers.
Audit Policies Rule-based filters that determine which Windows security events are forwarded or suppressed. Policies can evaluate Event IDs, usernames, privileges, logon types, process names, and other event fields using ALLOW and DENY logic.
File Audit Rules Rules used to monitor file system activity on specific paths. Supported operations include file reads, writes, deletes, renames, and permission changes.
Targets The destination systems where events are forwarded. Targets typically include LT Auditor MP collectors, syslog servers, or external SIEM platforms.
Key capabilities include:
- Centralized management of Windows Event Log collection policies across the enterprise
- Organization of systems into logical groups with shared configurations
- Advanced audit filtering and suppression using ALLOW/DENY policy rules
- Reduction of unnecessary event forwarding to lower SIEM ingestion volume
- Secure event forwarding using UDP, TCP, or TLS
- File system activity auditing for sensitive systems and directories
- Centralized management of forwarding targets and syslog destinations
- Support for compliance initiatives including HIPAA, PCI-DSS, NIST 800-171, GDPR, and ISO 27001
Supported platforms:
- Windows Server 2016 or newer
- Windows 10 or Windows 11
Deployment overview:
The EventLogAgent service is deployed to Windows servers and workstations throughout the environment. Each agent periodically connects to EventLogCentral to retrieve its assigned configuration including event log collection settings, audit policies, file audit rules, syslog forwarding targets, and group assignments. After receiving updates, the agent locally evaluates Windows events and file activity against the configured rules and forwards matching events directly to LT Auditor MP or the configured syslog destination.
This architecture enables scalable, centralized management of enterprise audit collection while minimizing unnecessary network traffic and reducing event noise before logs reach LT Auditor MP.