As well known, the Safed agent for Windows can collect events from the event log, filters them and forward the matched records to a centralized syslog server. There are some preconfigured set of events concerning basic activities that have to be tracked.
The first one, and probably the most famous due to existing law conformity requirements deals with the tracking of Login/Logoff to the system. The second one it is worth to be pointed out is aimed at tracking process start/stop on Windows.
Indeed it is easy to set a rule for collecting and filtering events for all processes of interest with Safed. From the left side menu select “EventLog Objectives Configuration”, then add a new rule selecting the “Start or stop a process” option and filling the “General Search Term” field with the regular expression best matching your objective (Img. 1). All the rest is done by Safed, namely audit setting and data collecting, filtering and forwarding to the server.
On the server side all collected records (Img. 2) can be further filtered and correlated to obtain very interesting information about software use on windows systems (think about concurrent running instances licenses), and undesired or prohibited processes execution.