LEEF Format for Windows Logs Sending to QRadar (4232530)

Below is a working LEEF:1.0 template that has been confirmed to work with QRadar for the forwarding of Windows logs.

The Syslog-ng Agent for Windows must be used to forward logs to either a Syslog-ng PE host or a Syslog-ng Store Box using Syslog-IETF format using the default Syslog-ng IETF template built into the Syslog-ng Agent for Windows.

Below are two templates with examples to rewrite the logs into the correct format for QRadar for use on Syslog-ng PE or Syslog-ng Store Box (SSB):

For use in Syslog-ng PE:

destination d_example {
	network(
		"10.10.10.10"
		port(5151)
		transport("udp")
		spoof-source(yes)
		template("${MONTH_ABBREV} ${DAY} ${HOUR}:${MIN}:${SEC} ${HOST} LEEF:1.0|Microsoft|Windows|2k8r2|${.SDATA.win@18372.4.EVENT_ID}|\tdevTime=${R_YEAR}-${R_MONTH}-${R_DAY}T ${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET}\tdevTimeFormat=yyyy-MM-dd'T'HH:mm:ssz\tcat=${.SDATA.win@18372.4.EVENT_TYPE}\tsev=${.SDATA.win@18372.4.EVENT_LEVEL}\tresource=${HOST}\tusrName=${.SDATA.win@18372.4.EVENT_USERNAME}\tapplication=${.SDATA.win@18372.4.EVENT_SOURCE}\tmessage=${MESSAGE}\n")
	);
};

For use in Syslog-ng Store Box (SSB):

1. Log into the WebUI of the SSB
2. Navigate to Log > Destinations
3. Create a new destination choosing Legacy for the Syslog protocol:
4. For the Message template: please choose "Custom on-wire message"
5. In the space provided for the Template: copy and paste the following:

${MONTH_ABBREV} ${DAY} ${HOUR}:${MIN}:${SEC} ${HOST} LEEF:1.0|Microsoft|Windows|2k8r2|${.SDATA.win@18372.4.EVENT_ID}|\tdevTime=${R_YEAR}-${R_MONTH}-${R_DAY}T ${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET}\tdevTimeFormat=yyyy-MM-dd'T'HH:mm:ssz\tcat=${.SDATA.win@18372.4.EVENT_TYPE}\tsev=${.SDATA.win@18372.4.EVENT_LEVEL}\tresource=${HOST}\tusrName=${.SDATA.win@18372.4.EVENT_USERNAME}\tapplication=${.SDATA.win@18372.4.EVENT_SOURCE}\tmessage=${MESSAGE}\n

Once done click "Commit" to save the changes. Logs should be sending in the correct format now.