Sending Windows Event Logs to REHL Syslog-NG Server

Syslog-ng main site:

Snare for Windows:


Install syslog-ng via epel or buuild from source.

Make a directory to store the logs you want to capture:

mkdir /var/log/syslogs

Edit the syslog-ng conf file:

vi /etc/syslog-ng/syslog-ng.conf

Add to the end of syslog-ng.conf:

source src {
destination messages { file("/var/log/syslogs/$HOST"); };
log {source(src); destination(messages);};

The above stanza tells syslog to listen for any incomming logs on port udp 514 (default) and send them to the directory /var/log/syslogs/ each remote log will create a file with the respective hostname, e.g.:

-rw------- 1 root root   53701 Nov  7 07:42 cit-3zhgmg1
-rw------- 1 root root  231065 Nov  7 07:42 dev-virtual
-rw------- 1 root root 1233934 Nov  7 07:39 rsodevxp

Restart the syslog-ng process:

/etc/init.d/syslog-ng start

Open a port in the local firewall:

vi /etc/sysconfig/iptables

And add the line:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT

Reload the firewall:

/etc/init.d/iptables reload

Install snare for Windows

Download the correct agent for the Windows platform, e.g. Windows XP, 7 Server, etc.

The Snare agent install is the normal Next, Next type.

Accept most the defaults unless there is a Active Directory Auditing GPO that may interfere.


On the “Remote Control Interface” Option, if you want to remote access to the systems Snare’s configuration via web browser, you can do so here (e.g. http://fqdn:6161.) To access locally, you still have to have admin rights to the box.

Finish the install process and open a local browser to http://localhost:6161 a status page should be shown.

Go to Network Configuration and complete the following:

Override detected DNS Name with: you only need to configure this if you want the name in the syslog feed to be something other than that to which the hostname in DNS resolves.

Destination Snare Server address: The FQDN or IP address of your syslog server.

Destination Port: The default syslog port.

Perform a scan of ALL objectives, and display the maximum criticality: Based on the settings in Objectives Configuration, this will report to you what Snare is going to audit.

Allow SNARE to automatically set audit configuration: Leaving this checked allows Snare to capture all the events considered important. Review those in Objectives Configuration, adjust them as you see fit, or control auditing through a GPO.

Export Snare Log data to a file?: Since we’re still writing event logs, checking this is redundant.

Enable active USB auditing?: With this checked, we should pick up any USB devices (like drives) connected to or removed from the system.

Enable SYSLOG Header: Check this, so that the Snare feed includes a syslog header. This will contain the hostname and a timestamp.

SYSLOG Facility: Defined in RFC3164, leave this at User unless you have a company policy defining a different facility.

SYLOG Priority: Also defined in RFC3164, leave this at Notice unless you have a company policy defining a different facility.

Configure your Snare agent as desired, and then click “Change Configuration.”

Restart the snare service:

Start>Run>CMD C:\Windows\System32> net stop snare && net start snare

Now rollover to your syslog server and tail for incomming windows event logs in the syslogs directory:

tail -f /var/log/syslogs/<HOSTNAME.DOMAIN>

You should see :

Nov 7 08:03:23 rsodevxp MSWinEventLog 0 Security 1836 Mon Nov 07 08:03:17 2011 593 Security SYSTEM User Success Audit RSODEVXP Detailed Tracking A process has exited: Process ID: 792 Image File Name: C:\WINDOWS\system32\userinit.exe User Name: RSODEVXP$ Domain: LOCALDOMAIN Logon ID: (0x0,0x3E7) 1666

Nov 7 08:09:23 rsodevxp MSWinEventLog 1 Security 1837 Mon Nov 07 08:09:23 2011 861 Security SYSTEM User Failure Audit RSODEVXP Detailed Tracking The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Snare\SnareCore.exe Process identifier: 976 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: TCP Port number: 6161 Allowed: No User notified: No 1667

Nov 7 08:10:08 rsodevxp MSWinEventLog 0 Security 1838 Mon Nov 07 08:10:08 2011 592 Security SYSTEM User Success Audit RSODEVXP Detailed Tracking A new process has been created: New Process ID: 3252 Image File Name: C:\WINDOWS\system32\logon.scr Creator Process ID: 648 User Name: RSODEVXP$ Domain: LOCALDOMAIN Logon ID: (0x0,0x3E7) 1668

Final steps:

Configure logrotate to rotated and compress the logs and set retention to rolloff any logs over X number of days.