Log Configuration
The Epilog service's main focus is the ability to monitor any text-based log file. The initial log configuration parameters to consider are the location of the log files to be monitored, and the type of log files being monitored. From this page:
- select Add to create a new log monitor
- Modify to update an existing log monitor
- Delete to remove the log monitor
Editing a log objective
The following parameters for the log inputs may be set:
- Select the Log Type. The log type of a file will tell the Snare server or other SIEM how to handle the incoming data stream and in which table the processed information should be stored. The available log types are:
GenericLog | Generic log format (default) |
ApacheLog | Apache web logs |
ExchMTLog | Exchange message tracking logs pre 2007 |
Exch2008MTLog | Exchange message tracking logs 2007 |
Exch2013MTLog | Exchange message tracking logs 2010/2013 |
IISWebLog | Microsoft IIS web server logs |
ISAFWSLog | Microsoft ISA firewall logs |
ISAWebLog | Microsoft ISA web logs |
MSProxySvr | Microsoft proxy server logs |
MSDNSServer | Microsoft DNS server logs |
SMTPSvcLog | Microsoft SMTP logs |
SquidProxyLog | Squid proxy logs |
VMSLog | VMS Security Logs |
NCRATMLog | NCR ATM Journal Logs |
Custom Event Log | User configurable log type. When this is selected the desired format can be added in the text field. |
- Multi-Line Format. How you would like Epilog to send events to the Snare Server or other SIEM.
Single line only - If this option is selected then Epilog will read from file line-by-line (until it finds a newline '\n' in the file). Each of these lines will be sent to the server as separate events.
Fixed number of lines - If this option is selected then Epilog will read the fixed number of lines from the file. An input box will be available for number entry. For example, if the value for this option is set to the number four, then Epilog will read the file until it finds four occurrences of the newline. In this example Epilog will read four lines and the contents of the four lines will be sent to the server as a single event.
Line separating events - If this option is selected then Epilog will keep reading the file until it finds a specific pattern in the file, where the pattern is treated as a string. An input box will be available for entry. For example, if the line separating event is defined as <end>
then Epilog will keep reading the file until it finds the pattern <end>
in the file as long as it is on a line on its own. All of the lines read up to <end
> will be sent to the server as a single event. Having a caret (^) as the pattern match for example ^ABCD will split the event into each line. The caret acts as a multi-line separator to match on text at the beginning of a log entry.
- Send Comments. Enable this option if you wish to collect the lines with a comment in them. A comment is represented by
#
(hash) and by default all lines starting with the hash will be ignored. Log File or Directory. The path must be defined as the fully qualified path to the desired log file or the fully qualified path to the directory containing the target log files. Spaces are valid characters. To indicate one or more subdirectories that should be searched for matching files, add a wildcard.
For example, to set the directory to the path containing the log files Log Name Format must be set to specify the pattern you are targeting.C:\mylogfiles\
For example, to match on a particular log file:C:\mylogfiles\filetowatch.log
For example, to recursively search for a match within subdirectories:C:\mylogfiles\*
About Recursive Files
If there are many files to recurse through, events may take from a few seconds to a few minutes to generate.
Recursion will not work from root directory such as c:\ as it must be under an existing subdirectory such as c:\mylogfiles.
About Mapped Drives
You may map locally to an external drive, such as drive mapped to USB.
You cannot map a drive over the network. You are required to install Epilog locally on those machines to retrieve events.
- Log Name Format: Allows you to specify the file name or pattern you are targeting. Wildcards are accepted, e.g.
filetowatch*.log
, using '*' and '?' expressions, or to watch all files use*.*
. A percent sign (%) can be used to represent the current date of the form YYMMDD.
For example, ISA is configured to log both web logs (e.g. ISALOG_20080612_WEB_000.w3c) and firewall logs (e.g. ISALOG_20080611_FWS_000.w3c) to the same directory. To watch each log type, you will need two log watches, both with the same Log Directory but the Log File Format set to "ISALOG_20%_WEB_*" and "ISALOG_20%_FWS_*" for web and firewalls logs respectively.
If no log name format is defined then it uses a default log format of YYMMDD and matches files within the specified directory set in Log File or Directory field, for example C:\mylogfiles\
and for date such as for 30 October 2014 it will match files using filter 141030.
in that directory for example C:\mylogfiles\141030.*
- All matching files - Users may create a single log monitor for all files within a directory
- Last matching file – Users may monitor the last file located within a directory, found alphabetically.
- First matching file – Users may monitor the first file located within a directory, found alphabetically.
- Fixed number of first matching files - Users may monitor the set number of first matched files within a directory.
- Fixed number of last matching files - Users may monitor the set number of last matched files within a directory.
- Number of files (1-65535) - This option is available when a Fixed number of first matching files or Fixed number of last matching files option is selected. This option takes the fixed number of first/last matching files within a directory that will be monitored.
Once each log watch is configured Epilog will display a list of the matching files and after the agent has been restarted, it will continuously monitor each file for any changes, immediately reporting them to the identified Snare servers or SIEM. For specific filenames, Epilog will follow the exact name of the file even if it is rotated, truncated, replaced or deleted. In the event that the file is removed, the Epilog service will wait until the file is recreated and then resume normal monitoring. If a Log Name Format is used, Epilog will also watch for new filenames, dynamically updating the file watch each time a new file becomes available.
To view the files that are being monitored select the View button on the Log Configuration page. This will pop up an editor of matching files.
To save and set the changes to the above settings, and to ensure the registry has received the new configuration perform the following:
- Click on Change Configuration to save any changes to the registry and to return to the Log Configuration main page. It will summarise the details of the log files to monitor or display "No matches" in the the Matching File(s) column. If no matching files were found, check your paths and log file formats.
- Click on the Apply Configuration & Restart Service menu item.
Alternatively, the service may also be restarted by selecting the restart service via the Windows services control panel.
To clear the form before changes were made, click Reset Form.