Event Based Dynamic Client Logging

Abstract

Enterprise Security Information and Event Management (SIEM) systems are increasingly challenged by the need to balance comprehensive log collection with the practical limitations of storage, network bandwidth, and operational overhead. This often results in selective logging strategies that, while resource-efficient, risk omitting critical contextual information necessary for effective security investigations and incident response. This thesis addresses this fundamental trade-off by presenting the design, implementation, and empirical evaluation of a dynamic logging agent that extends the Wazuh platform.

The proposed agent augments traditional logging workflows by introducing a local, rule-based detection engine capable of monitoring verbose log streams directly on the endpoint. Upon detection of security-relevant events, the agent dynamically increases logging verbosity and selectively forwards enriched contextual information to the SIEM. During periods of normal operation, the agent reduces log transmission by filtering routine or low-priority events, thereby maintaining efficient resource utilisation without sacrificing operational visibility.