Log messages have recently become very important. While every application and operating system generates system status messages, for decades, systems administrators just ignored them. The advent of Security Information and Event Management (SIEM) as a threat protection strategy turned this situation around. Now everyone is eager to collect and store every log message that all systems emit.
There are two major standards in operation for log messages: Windows Events and Syslog. Syslog is an open standard that is prevalent on Linux systems. Windows Events follow a proprietary standard that was created by Microsoft for its own products. However, third-party products also adopt the Windows Event log format when running on Windows. Similarly, some software creators decide to follow the Syslog messaging standard.
Log collectors and receivers
The need to collect all log messages in one place means that there needs to be a bridge between the two tribes of log messaging: Windows Events and Syslog. A log message manager in a Windows system will collect and file all Windows Events log messages but ignore Syslog messages that might be generated on other parts of the network. Similarly, a log file manager written for Linux would collect and store Syslog messages but it wouldn’t handle Windows Event log messages.
So, a systems administrator with both Windows and Linux systems to manage is left with at least two separate stores of log messages – one for Windows Events and one for Syslog messages. This is not a good scenario for intrusion detection. The solution to this problem means that either the Windows Event messages need to be converted into the Syslog format or that the Syslog messages should be converted into the Windows Event message format. Either strategy would enable all system messages to be stored in common files and be searched through by one single analytical tool.
There is a third strategy for consolidating Windows Events and Syslog messages, which is to convert them into a neutral format. Whether Windows Events are sent to a Syslog server or to a third-party consolidating tool, the process of sending those messages is known as Event log forwarding.
Event log forwarders and log servers
The Event log forwarder will operate on your own system. The log server and consolidator do not need to be resident on your premises. There are log servers that you can install on-site and there are others that are hosted Software as a Service system.
Many hosted systems offer the log collector, which is the Event log forwarder as part of the package. In these cases, the log collector still has to be installed on a Windows host on your site. This is usually termed an “agent.”
If you are consolidating files from Windows and Linux environments, you will also need to install a Syslog forwarder on one of your Linux machines. SaaS log file management systems also provide a Linux-resident agent. If you run your log file server on your own site, the log collector/forwarder and the log server will still be separate packages. The server is intended as a manager for all log messages whether they be Windows Events or Syslog.
Free Event log forwarder and log consolidators
You don’t have to pay for an Event log forwarder or a log server and consolidator because there are some free packages available. One of the things that you need to consider is whether the two services that you choose are compatible. As both Windows Events and Syslog are universally-known standards, the likelihood of incompatibility is slim. However, it is still a good idea to check for compatibility, just in case.
You eradicate the possibility of incompatibility if you get both an Event log forwarder and a log file server from the same provider. This is the strategy that we will follow in this guide. Here we use two free utilities from SolarWinds. These are:
As you have probably already guessed from the names of these two tools, we will deal with the incompatibility between log file formats by converting Windows Event log messages into a Syslog format and then send them to a Syslog server. The server is also capable of receiving Syslog messages from a Linux-based log message collector.
Both of these utilities run on the following operating systems:
- Windows Server 2016
- Windows Server 2012 and 2012 R2
- Windows 10
- Windows 8.1
- Windows 8
The Event Log Forwarder will also run on these Windows versions:
- Windows 7 and Windows 7 SP1
- Windows Server 2008, 2008 SP2, 2008 R2, and 2008 R2 SP1 *
- Windows Server 2003 R2 SP2 *
Let’s get on and install these two software packages.
Install SolarWinds Event Log Forwarder for Windows
The Event Log Forwarder is available for free download at the SolarWinds website. It needs to be installed on each computer from which you want to collect Event log messages. Click on the Download button to access the page.
Fill in the contact details form on the download access page and then press the Proceed to Free Download button.
You will be offered a free 30-day free trial of the SolarWinds Log Analyzer. Whether you choose this offer or not, the next screen gives you a download link in the form of a button, labeled Download Now.
Click on the button to get the download, which is a zipped folder. When the download completes, open the folder. Extract the files from the zip container.
Double-click on the second item in the folder, which is an installer. Windows will ask you for permission to run the file. Press OK. This will launch an installation wizard. Accept the Terms and Conditions and cycle through the installation stages by clicking on the Next button. Press the Finish button on the last page of the installer.
Set up the Event Log Forwarder
Once the installer closes, open the Event Log Forwarder by clicking on its entry in the Start menu or its icon on your Desktop. Windows will ask you for permission before the service opens.
The Dashboard for the system has a large blank panel in it when you first run it.
Specify Event collection parameters
In order to get the collector running, you need to add a type of message for it to capture.
Click on the Add button at the top of the display panel.
The Event type selection screen enables you to filter the events that will get forwarded to the Syslog server. This will cut down on traffic. However, if you are gathering log records to be used by a SIEM system, you might be required to send all events.
As you select filters for the messages, you can see the records that your setup will capture by pressing the Show preview of matching event records button, which is underneath the left panel on the screen.
There are three ways to select the types of log records that will be collected. The first lies with the specification of the sources of log messages that you would like to collect. This is enabled through a hierarchy structure shown on the left panel of the screen. Check the box at the root of the hierarchy to select all events. This filtering method can be refined through a drop-down list of event sources. This is a list of subcategories of the systems you selected in the left-hand panel.
The second filtering option is at the top of the main panel of the Add screen. This allows you to select the severity of events that you want to collect. The options here are to collect messages with the level of Error, Warning, and Information.
The third method for filtering allows you to specify task categories, user accounts, or computers to extract log records for. The Task Category option is a little obscure because it works on a list of IDs. So, you would need to know the identifiers of each of the specific categories you want to collect log records for in order to use this feature meaningfully. The selection of these Task Categories is through a drop-down list that has all of the categories checked by default. This list only gets populated after you have selected event sources in the left-hand panel.
It is also possible to use task category IDs in the Include or Exclude Event field above the Task Category drop-down list. If you want to capture all events except for a given list, put a minus sign in front of the ID for each event type.
After completing the event source selection, click on the Next button to proceed. This takes you to the Define Priority screen.
Select the Default Syslog Facility that the event records will be forwarded to the syslog server(s). This value, together with the Event Type on each message is used to generate the Priority value that will be added into each record when it is converted into the Syslog standard.
Click on the Finish button to return to the main screen.
You will now see an entry in the main detail panel of the Home screen in the Dashboard.
Specify a Syslog server
The next step is to tell the Event Log Forwarder where to send its converted event logs. Click on the Syslog Servers tab at the top of the main panel on the Home screen. Click on the Add button to proceed.
In the Add Syslog Server screen, enter the IP address of the host of the Syslog server utility. If you subscribe to a SaaS system for logfile consolidation, you should put in the IP address given to you in the setup guide for that service. If you will be using an installed Syslog server, put in the IP address of the computer that you installed it on – or intend to install it on. Leave the Port and Protocol fields as they are because these are industry standard values.
The Server Name field gives you an opportunity to put your own label on this Syslog server record, in case you set up several servers. If you only have one, the name you choose doesn’t matter too much because you won’t need to distinguish between the records that will appear in the Syslog Server section of the Home screen on the Dashboard.
Press the Create button to return to the main screen of the Dashboard.
Check the settings of Event Log Forwarder
In the main screen of the Event Log Forwarder, click on the Test tab in order to check whether the setup of the collector has been performed correctly. Select an event type in the Event logs you wish to add a test event to: drop-down list. Select the All option. Select an event type in the second field, such as Warning.
Click on the Create a test event button to run the test. You should see a success or failure notification.
Use a Syslog server
Now the setup of your Event log forwarder is complete. However, you will also need to set up a Syslog server in order to benefit from this message forwarding system. We recommend using the Kiwi Syslog Server Free Edition, which you can download from the SolarWinds website.
In order to download this server, you need to fill in a form, which is the same as the form you filled in to get the Event Log Forwarder.
Download the service, unzip the download container and run the install Wizard to get the Syslog server on your host.
In order to test whether the Syslog Server is set up correctly, go back to the Event Log Forwarder and run a test. With the Kiwi Syslog Server operational, you should see a test message appear in the Syslog Server dashboard.
L’article Event Log Forwarding Guide est apparu en premier sur Comparitech.
0 Commentaires