Log Types: MSWinEventLog

Overview

Windows systems can create a reasonably wide variety of similar log types. In Windows NT, WinSecurity, WinApplication and WinSystem were supported. Future versions of windows expanded the log types significantly.

Collection

Snare for Windows agents are capable of collecting and forwarding Windows eventlog data.

In addition, agents are also capable of exporting log data to a file on disk, rather than pushing the events back to a central server.

In situations where systems are air-gapped, or have sporadic internet connectivity, directly transferring the archived log data to the Snare Central via FTP is possible.

Logs should be in standard Snare Agent tab-delimited text format, and can be transferred to the directory /data/SnareCollect/MSWinEventLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Sample Events

propc12    MSWinEventLog    4    System    2174    Fri Nov 27 09:58:51 2015    7036    Service Control Manager    N/A    N/A    Information    propc12    None        The Application Experience service entered the stopped state.    0
Test_Host MSWinEventLog 2 Security 3027 Fri May 24 20:30:43 2010 593 Security Administrator User Success Audit LE5678WSP Detailed Tracking A process has exited:Process ID: 656 User Name: Administrator Domain: LE5678WSPLogon ID: (0x0,0x6C52)

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

MSWinEventLog

EVENTCOUNT

Based on the internal Snare event counter.

EVENTID

Windows EventID

SOURCE

The log source, such as “Security” or “Service Control Manager”

USER

The User that generated the event

SOURCETYPE

Source type, such as “User”

RETURN

'Success Audit', 'Failure Audit', 'Error', 'Information', or 'Warning'

DATA

Event data - generally blank except for a few particular events (eg: DrWatson errors)

STRINGS

Any event content that does not fit into the other defined fields.

Notes

MSWinEventLog logs, are divided into four log tables in the Snare Central server:

  • WinSecurity

  • WinApplication

  • WinSystem

  • MSWinEventLog

The fields for each of these tables are as per the MSWinEventLog table.