tag:blogger.com,1999:blog-4088979.post265191627027336753..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Windows Syslog Agents Plus SplunkRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-4088979.post-89746725748082067122008-11-03T20:37:00.000-05:002008-11-03T20:37:00.000-05:00Thanks for the post Richard. We posted a little wh...Thanks for the post Richard. <BR/><BR/>We posted a little while ago a wiki page on the tradeoffs between snare, splunk native forwarding and splunk remote polling via WMI. If people are interested in the 'official' line, you'll find it here: <BR/><BR/>http://wiki.splunk.com/Deploy:SnareVwmiVforwarding <BR/><BR/>Happy Splunkin'Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1687260378718780822008-10-28T02:56:00.000-04:002008-10-28T02:56:00.000-04:00I also use Snare quite a bit. One thing worth lo...I also use Snare quite a bit. One thing worth looking at though, is Epilog (also from InterSect Alliance).<BR/><BR/>http://www.intersectalliance.com/projects/EpilogWindows/index.html<BR/><BR/>This allows you to forward flat-text based logs from windows boxes. Things such as DHCP logs and IIS web logs. I've even had good luck forwarding Oracle App Server logs, etc.Mestizohttps://www.blogger.com/profile/14369977658751977536noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-79050649764081413932008-10-25T14:41:00.000-04:002008-10-25T14:41:00.000-04:00The risk with the "UDP only" option is the lack or...The risk with the "UDP only" option is the lack or reliability and if you send customer data, I could only guess that your auditors would prefer you doing it over a encrypted channel.. but as always pick the solutions that solves your need, the rest is just opinions.<BR/><BR/>If SNARE feels right you could use the Windows port of Stunnel to accomplish the encryption part.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-37086358372002867132008-10-24T21:36:00.000-04:002008-10-24T21:36:00.000-04:00SYSLOG-NG with SNARE on windows is a great open so...SYSLOG-NG with SNARE on windows is a great open source combo. There are insecurities of course (UDP syslog rather than TCP+TLS) but you must review the risk of the network layer protection. Using WMI versions negates what for me is one of the largest benefits of central logging, compatibility. SYSLOG can be spoken by just about any platform out there (UNIX, Cisco, Network Devices, Windows, etc.) and does not rely on proprietary technologies.Anonymoushttps://www.blogger.com/profile/10419986401706511183noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-64147309445026387492008-10-24T15:46:00.000-04:002008-10-24T15:46:00.000-04:00I've used Snare to send events to Splunk before an...I've used Snare to send events to Splunk before and found that it worked very well. No problems with stability of the service and things got working fast. I did have a problem with pulling events from custom event logs though. It ended up being a blocking issue for us.<BR/><BR/>Does anyone have experience with an application that can be customized to monitor custom event logs?Jason Woodhttps://www.blogger.com/profile/01154638200146139984noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-47433443060949358942008-10-24T10:56:00.000-04:002008-10-24T10:56:00.000-04:00Richard, read your blog faithfully. Thanks for wr...Richard, read your blog faithfully. Thanks for writing.<BR/>Splunk as of 3.3(?) has a WMI input that can fetch event logs or any other WMI accessible data. Requires splunk installed on windows OS. I've been using it for about 1 week on a POC with ~40 windows servers. So far I'm impressed.<BR/><BR/>--JeremyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23306590956868707092008-10-24T08:47:00.000-04:002008-10-24T08:47:00.000-04:00While you are at it, why don't you take a look at ...While you are at it, why don't you take a look at Balabit's syslog-ng client for Windows.<BR/><BR/>Native TLS or Certificate support, handles logs stored in the event viewer or in logfiles. Uses TCP. <BR/><BR/>The only downside is that the agent is free *if* you buy a commercial syslog-ng license, but if you would like to have your snare agent transfer data over TCP instead of UDP (and this is something you would like) you still will have to buy a license..<BR/><BR/>URL: http://www.balabit.com/network-security/syslog-ng/central-syslog-server/windows-eventlog/<BR/><BR/>/MickeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44016861009698560812008-10-24T07:02:00.000-04:002008-10-24T07:02:00.000-04:00but which syslog server is best: syslogd , syslog-...but which syslog server is best: syslogd , syslog-ng or rsyslog?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-38492927999475615802008-10-24T02:09:00.000-04:002008-10-24T02:09:00.000-04:00Snare is *choice* for Windows Event Log -> Sysl...Snare is *choice* for Windows Event Log -> Syslog, though I've never played with Intersect Alliance's commercial offerings.<BR/><BR/>Richard, did you load the Splunk "application" for Snare? That is to say, did you download the event types, transforms, etc. from Splunkbase to have Splunk automagically parse Event Logs forwarded by Snare? I, personally, had trouble getting Splunk to do anything worthwhile with said add-on.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-53615434558938824962008-10-24T00:28:00.000-04:002008-10-24T00:28:00.000-04:00Why not just install Splunk on your windows host a...Why not just install Splunk on your windows host and send the logs that way? The Windows port has been out for a while now and its quite stable.Jeremiah Johnsonhttps://www.blogger.com/profile/11602655389429174759noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-11469256165499963892008-10-23T23:41:00.000-04:002008-10-23T23:41:00.000-04:00Snare looks nice if you have to run an agent. It w...Snare looks nice if you have to run an agent. It would definitely be easier to correlate Windows Event Logs as syslog data in a an intrusion investigation. I'd like to see how WMIC output would look in Splunk.Anonymousnoreply@blogger.com