Windows Syslog Agents Plus Splunk

I've been mulling strategies for putting Windows Event Logs into Splunk. Several options exist.

  1. Deploy Splunk in forwarding mode on the Windows system.

  2. Deploy a Syslog agent on the Windows system.

  3. Deploy OSSEC on the Windows system and sending OSSEC output to Splunk.

  4. Deploy Windows Log Parser to send events via Syslog on a periodic basis.

  5. Retrieve Windows Event Logs periodically using WMIC.

  6. Retrieve Windows Event Logs using another application, like LogLogic Lasso or DAD.


I'd done number 2 before using NTSyslog, so I decided to see what might be newer as far as deploying Syslog agents on Windows goes.

I installed DataGram SyslogAgent, a free Syslog agent onto a Windows XP VM.



It was very easy to set up. I pointed it toward a free Splunk instance running on my laptop and got results like the following.



I noticed some odd characters inserted in the log messages, but nothing too extraordinary.

Next I tried the other modern free Syslog agent for Windows, SNARE. Development seems very active. I configured it to point to my Splunk server.



Next I checked the Splunk server for results.



As you can see the messages appear to be formatted a little better (i.e., no weird characters).

I was able to find logon messages recorded at different times by different Syslog agents. In the following screen capture, the top message is from SNARE and the bottom is from SyslogAgent.



I think if I decide to use a Syslog agent on Windows, I'll spend more time validating SNARE.

Comments

Anonymous said…
Snare looks nice if you have to run an agent. It would definitely be easier to correlate Windows Event Logs as syslog data in a an intrusion investigation. I'd like to see how WMIC output would look in Splunk.
11:41 PM
Jeremiah Johnson said…
Why not just install Splunk on your windows host and send the logs that way? The Windows port has been out for a while now and its quite stable.
12:28 AM
Anonymous said…
Snare is *choice* for Windows Event Log -> Syslog, though I've never played with Intersect Alliance's commercial offerings.

Richard, did you load the Splunk "application" for Snare? That is to say, did you download the event types, transforms, etc. from Splunkbase to have Splunk automagically parse Event Logs forwarded by Snare? I, personally, had trouble getting Splunk to do anything worthwhile with said add-on.
2:09 AM
Anonymous said…
but which syslog server is best: syslogd , syslog-ng or rsyslog?
7:02 AM
Anonymous said…
While you are at it, why don't you take a look at Balabit's syslog-ng client for Windows.

Native TLS or Certificate support, handles logs stored in the event viewer or in logfiles. Uses TCP.

The only downside is that the agent is free *if* you buy a commercial syslog-ng license, but if you would like to have your snare agent transfer data over TCP instead of UDP (and this is something you would like) you still will have to buy a license..

URL: http://www.balabit.com/network-security/syslog-ng/central-syslog-server/windows-eventlog/

/Micke
8:47 AM
Anonymous said…
Richard, read your blog faithfully. Thanks for writing.
Splunk as of 3.3(?) has a WMI input that can fetch event logs or any other WMI accessible data. Requires splunk installed on windows OS. I've been using it for about 1 week on a POC with ~40 windows servers. So far I'm impressed.

--Jeremy
10:56 AM
Jason Wood said…
I've used Snare to send events to Splunk before and found that it worked very well. No problems with stability of the service and things got working fast. I did have a problem with pulling events from custom event logs though. It ended up being a blocking issue for us.

Does anyone have experience with an application that can be customized to monitor custom event logs?
3:46 PM
Unknown said…
SYSLOG-NG with SNARE on windows is a great open source combo. There are insecurities of course (UDP syslog rather than TCP+TLS) but you must review the risk of the network layer protection. Using WMI versions negates what for me is one of the largest benefits of central logging, compatibility. SYSLOG can be spoken by just about any platform out there (UNIX, Cisco, Network Devices, Windows, etc.) and does not rely on proprietary technologies.
9:36 PM
Anonymous said…
The risk with the "UDP only" option is the lack or reliability and if you send customer data, I could only guess that your auditors would prefer you doing it over a encrypted channel.. but as always pick the solutions that solves your need, the rest is just opinions.

If SNARE feels right you could use the Windows port of Stunnel to accomplish the encryption part.
2:41 PM
Mestizo said…
I also use Snare quite a bit. One thing worth looking at though, is Epilog (also from InterSect Alliance).

http://www.intersectalliance.com/projects/EpilogWindows/index.html

This allows you to forward flat-text based logs from windows boxes. Things such as DHCP logs and IIS web logs. I've even had good luck forwarding Oracle App Server logs, etc.
2:56 AM
Anonymous said…
Thanks for the post Richard.

We posted a little while ago a wiki page on the tradeoffs between snare, splunk native forwarding and splunk remote polling via WMI. If people are interested in the 'official' line, you'll find it here:

http://wiki.splunk.com/Deploy:SnareVwmiVforwarding

Happy Splunkin'
8:37 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more