Log Types: MSWinEventLog
Overview
Windows systems can create a reasonably wide variety of similar log types. In Windows NT, WinSecurity, WinApplication and WinSystem were supported. Future versions of windows expanded the log types significantly.
Collection
Snare for Windows agents are capable of collecting and forwarding Windows eventlog data.
In addition, agents are also capable of exporting log data to a file on disk, rather than pushing the events back to a central server.
In situations where systems are air-gapped, or have sporadic internet connectivity, directly transferring the archived log data to the Snare Central via FTP is possible.
Logs should be in standard Snare Agent tab-delimited text format, and can be transferred to the directory /data/SnareCollect/MSWinEventLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Sample Events
propc12 MSWinEventLog 4 System 2174 Fri Nov 27 09:58:51 2015 7036 Service Control Manager N/A N/A Information propc12 None The Application Experience service entered the stopped state. 0
Test_Host MSWinEventLog 2 Security 3027 Fri May 24 20:30:43 2010 593 Security Administrator User Success Audit LE5678WSP Detailed Tracking A process has exited:Process ID: 656 User Name: Administrator Domain: LE5678WSPLogon ID: (0x0,0x6C52)
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | MSWinEventLog |
EVENTCOUNT | Based on the internal Snare event counter. |
EVENTID | Windows EventID |
SOURCE | The log source, such as “Security” or “Service Control Manager” |
USER | The User that generated the event |
SOURCETYPE | Source type, such as “User” |
RETURN | 'Success Audit', 'Failure Audit', 'Error', 'Information', or 'Warning' |
DATA | Event data - generally blank except for a few particular events (eg: DrWatson errors) |
STRINGS | Any event content that does not fit into the other defined fields. |
Notes
MSWinEventLog logs, are divided into four log tables in the Snare Central server:
WinSecurity
WinApplication
WinSystem
MSWinEventLog
The fields for each of these tables are as per the MSWinEventLog table.