Can the Windows evtx log files be forwarded to another SIEM?
SUMMARY
If your servers are managed by a third party, and agent-based solutions are not practical, the Snare Central Server has the ability to process text based windows evtx log files in batch mode. Your service provider may be able to provide access to such logs by exporting log data on a scheduled basis using the 'wevtutil' application.
Logs exported using this system have similar content to those that arrive via a normal Snare for Windows agent, however there are some minor structural differences, and some information is lost when compared with an agent-based solution.
There are several methods that can export windows event logs to a format that is compatible with the Snare Central data import capability.
We recommend the following to do it in one step:
* wevtutil qe Security /f:text > C:\path\to\logs \LogBackup-<date/time>.txt
Alternatively, you may clear and backup the logs in the same step - however, logs will be exported to a binary format that is not suitable for immediate upload to the Snare Server:
* wevtutil cl Security /bu:c:\path\to\logs\LogBackup-<date/time>.evtx
Binary logs need to be converted to an appropriate text format using the Microsoft tool on a suitable Windows platform, prior to import by the Snare Server - otherwise, a large amount of detail, that is only available on the source system, will be lost:
* wevtutil qe c:\path\to\logs\LogBackup-<date/time>.evtx /lf:true /f:text > C:\path\to\logs\LogBackup-<date/time>.txt
Once the logs are in a compatible text format, they should be uploaded to /data/SnareCollect/MSWinTxtExport directory on the Snare Central Server.
This can be achieved though either FTP or SCP/SFTP, using the snarexfer account login details that were set during the install of the system.
The Snare daily task scheduler will execute the script /data/Snare/RunDaily/83MSWinTxtExport.php just after midnight, and the logs will be available from the Snare Central user interface after the processing step has completed.