Thursday, October 23, 2008

Windows Syslog Agents Plus Splunk

I've been mulling strategies for putting Windows Event Logs into Splunk. Several options exist.

  1. Deploy Splunk in forwarding mode on the Windows system.

  2. Deploy a Syslog agent on the Windows system.

  3. Deploy OSSEC on the Windows system and sending OSSEC output to Splunk.

  4. Deploy Windows Log Parser to send events via Syslog on a periodic basis.

  5. Retrieve Windows Event Logs periodically using WMIC.

  6. Retrieve Windows Event Logs using another application, like LogLogic Lasso or DAD.

I'd done number 2 before using NTSyslog, so I decided to see what might be newer as far as deploying Syslog agents on Windows goes.

I installed DataGram SyslogAgent, a free Syslog agent onto a Windows XP VM.

It was very easy to set up. I pointed it toward a free Splunk instance running on my laptop and got results like the following.

I noticed some odd characters inserted in the log messages, but nothing too extraordinary.

Next I tried the other modern free Syslog agent for Windows, SNARE. Development seems very active. I configured it to point to my Splunk server.

Next I checked the Splunk server for results.

As you can see the messages appear to be formatted a little better (i.e., no weird characters).

I was able to find logon messages recorded at different times by different Syslog agents. In the following screen capture, the top message is from SNARE and the bottom is from SyslogAgent.

I think if I decide to use a Syslog agent on Windows, I'll spend more time validating SNARE.


Marcus J. Carey said...

Snare looks nice if you have to run an agent. It would definitely be easier to correlate Windows Event Logs as syslog data in a an intrusion investigation. I'd like to see how WMIC output would look in Splunk.

Jeremiah Johnson said...

Why not just install Splunk on your windows host and send the logs that way? The Windows port has been out for a while now and its quite stable.

quine said...

Snare is *choice* for Windows Event Log -> Syslog, though I've never played with Intersect Alliance's commercial offerings.

Richard, did you load the Splunk "application" for Snare? That is to say, did you download the event types, transforms, etc. from Splunkbase to have Splunk automagically parse Event Logs forwarded by Snare? I, personally, had trouble getting Splunk to do anything worthwhile with said add-on.

Anonymous said...

but which syslog server is best: syslogd , syslog-ng or rsyslog?

Mikael Keri said...

While you are at it, why don't you take a look at Balabit's syslog-ng client for Windows.

Native TLS or Certificate support, handles logs stored in the event viewer or in logfiles. Uses TCP.

The only downside is that the agent is free *if* you buy a commercial syslog-ng license, but if you would like to have your snare agent transfer data over TCP instead of UDP (and this is something you would like) you still will have to buy a license..



Jeremy said...

Richard, read your blog faithfully. Thanks for writing.
Splunk as of 3.3(?) has a WMI input that can fetch event logs or any other WMI accessible data. Requires splunk installed on windows OS. I've been using it for about 1 week on a POC with ~40 windows servers. So far I'm impressed.


Jason said...

I've used Snare to send events to Splunk before and found that it worked very well. No problems with stability of the service and things got working fast. I did have a problem with pulling events from custom event logs though. It ended up being a blocking issue for us.

Does anyone have experience with an application that can be customized to monitor custom event logs?

oneguynick said...

SYSLOG-NG with SNARE on windows is a great open source combo. There are insecurities of course (UDP syslog rather than TCP+TLS) but you must review the risk of the network layer protection. Using WMI versions negates what for me is one of the largest benefits of central logging, compatibility. SYSLOG can be spoken by just about any platform out there (UNIX, Cisco, Network Devices, Windows, etc.) and does not rely on proprietary technologies.

Mikael Keri said...

The risk with the "UDP only" option is the lack or reliability and if you send customer data, I could only guess that your auditors would prefer you doing it over a encrypted channel.. but as always pick the solutions that solves your need, the rest is just opinions.

If SNARE feels right you could use the Windows port of Stunnel to accomplish the encryption part.

Mestizo said...

I also use Snare quite a bit. One thing worth looking at though, is Epilog (also from InterSect Alliance).

This allows you to forward flat-text based logs from windows boxes. Things such as DHCP logs and IIS web logs. I've even had good luck forwarding Oracle App Server logs, etc.

Cervelli said...

Thanks for the post Richard.

We posted a little while ago a wiki page on the tradeoffs between snare, splunk native forwarding and splunk remote polling via WMI. If people are interested in the 'official' line, you'll find it here:

Happy Splunkin'