Return
-
Title
SNARE Template for Windows Logs -
Description
Microsoft Windows logs are not in SNARE format by default and SNARE formatting is required for different SIEM vendors. -
Cause
Microsoft Windows logs are in XML format by default. -
Resolution
To change the log formatting to be in SNARE format please implement one of the following two templates based on the application use.For Syslog-ng Store Box (SSB) using the Syslog-ng Agent for Windows:
1.) Log into the SSB WebUI.2.) Select the "Log" and then "Destination" options on the left hand side of the screen by left clicking on them.3.) If the Destination has not already been created, please create it now.4.) In the template: field within the Destination's options, copy and paste the following code.5.) Commit the changes and ensure logs are now reaching the Destination in the new format.${DATE}\t${HOST}\tMSWinEventLog\t${.SDATA.win@18372.4.EVENT_LEVEL}\t${.SDATA.win@18372.4.EVENT_NAME}\t${.SDATA.win@18372.4.EVENT_REC_NUM}\t${WEEKDAY} ${MONTHNAME} ${DAY} ${HOUR}:${MIN}:${SEC} ${YEAR}\t${.SDATA.win@18372.4.EVENT_ID}\t${.SDATA.win@18372.4.EVENT_SOURCE}\t${.SDATA.win@18372.4.EVENT_USERNAME}\t${.SDATA.win@18372.4.EVENT_SID_TYPE}\t${.SDATA.win@18372.4.EVENT_TYPE}\t${HOST}\t${.SDATA.win@18372.4.EVENT_CATEGORY}\t${MESSAGE}\t\nFor Syslog-ng PE servers using the Syslog-ng Agent for Windows:
1.) Connect to the host using SSH or other means and log in.2.) Edit the Syslog-ng configuration file where the destination is listed for the SIEM.3.) Add the following option to the Destination() (See example below the code)template("${DATE}\t${HOST}\tMSWinEventLog\t${.SDATA.win@18372.4.EVENT_LEVEL}\t${.SDATA.win@18372.4.EVENT_NAME}\t${.SDATA.win@18372.4.EVENT_REC_NUM}\t${WEEKDAY} ${MONTHNAME} ${DAY} ${HOUR}:${MIN}:${SEC} ${YEAR}\t${.SDATA.win@18372.4.EVENT_ID}\t${.SDATA.win@18372.4.EVENT_SOURCE}\t${.SDATA.win@18372.4.EVENT_USERNAME}\t${.SDATA.win@18372.4.EVENT_SID_TYPE}\t${.SDATA.win@18372.4.EVENT_TYPE}\t${HOST}\t${.SDATA.win@18372.4.EVENT_CATEGORY}\t${MESSAGE}\t\n")4.) Restart the Syslog-ng service5.) Ensure logs are now reaching the destination in the new format.*NOTE* The following instructions assume that .SDATA. has been appended as a prefix to all logs in the configuration of the windowsevent() source option within the Syslog-ng configuration on a Syslog-ng PE server. More information on adding the .SDATA. prefix can be found in the Windows Event Collector Admin Guide which has been linked here: https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/7.0.14/windows-event-collector-administration-guide/2#TOPIC-11878251.) Log into the SSB WebUI.
2.) Select the "Log" and then "Destination" options on the left hand side of the screen by left clicking on them.3.) If the Destination has not already been created, please create it now.4.) In the template: field within the Destination's options, copy and paste the following code.5.) Commit the changes and ensure logs are now reaching the Destination in the new format.${DATE}\t${HOST}\tMSWinEventLog\t${.SDATA.Event.System.Level}\t${.SDATA.Event.System.Channel}\t${.SDATA.Event.System.EventRecordID}\t${WEEKDAY} ${MONTHNAME} ${DAY} ${HOUR}:${MIN}:${SEC} ${YEAR}\t${.SDATA.Event.System.EventID}\t${.SDATA.Event.RenderingInfo.Provider}\t${.SDATA.Event.EventData.SubjectUserName}\t${.SDATA.Event.EventData.ClientProcessId}\t${.SDATA.Event.RenderingInfo.Keywords.Keyword}\t${.SDATA.Event.System.Computer}\t${.SDATA.Event.RenderingInfo.Task}\t${.SDATA.Event.RenderingInfo.Message}\t\nFor Syslog-ng PE servers using Windows Event Collector:
*NOTE* The following instructions assume that .SDATA. has been appended as a prefix to all logs in the configuration of the windowsevent() source option within the Syslog-ng configuration on a Syslog-ng PE server. More information on adding the .SDATA. prefix can be found in the Windows Event Collector Admin Guide which has been linked here: https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/7.0.14/windows-event-collector-administration-guide/2#TOPIC-1187825
1.) Connect to the host using SSH or other means and log in.2.) Edit the Syslog-ng configuration file where the destination is listed for the SIEM.3.) Add the following option to the Destination() (See example below the code)template("${DATE}\t${HOST}\tMSWinEventLog\t${.SDATA.Event.System.Level}\t${.SDATA.Event.System.Channel}\t${.SDATA.Event.System.EventRecordID}\t${WEEKDAY} ${MONTHNAME} ${DAY} ${HOUR}:${MIN}:${SEC} ${YEAR}\t${.SDATA.Event.System.EventID}\t${.SDATA.Event.RenderingInfo.Provider}\t${.SDATA.Event.EventData.SubjectUserName}\t${.SDATA.Event.EventData.ClientProcessId}\t${.SDATA.Event.RenderingInfo.Keywords.Keyword}\t${.SDATA.Event.System.Computer}\t${.SDATA.Event.RenderingInfo.Task}\t${.SDATA.Event.RenderingInfo.Message}\t\n")4.) Restart the Syslog-ng service5.) Ensure logs are now reaching the destination in the new format.The SNARE formatting is based upon the following requirements and macros associated with said requirement in the following order:For Syslog-ng Agent for Windows:
${DATE}${HOST}MSWinEventLog${.SDATA.win@18372.4.EVENT_LEVEL}${.SDATA.win@18372.4.EVENT_NAME}${.SDATA.win@18372.4.EVENT_REC_NUM}${WEEKDAY} ${MONTHNAME} ${DAY} ${HOUR}:${MIN}:${SEC} ${YEAR}${.SDATA.win@18372.4.EVENT_ID}${.SDATA.win@18372.4.EVENT_SOURCE}${.SDATA.win@18372.4.EVENT_USERNAME}${.SDATA.win@18372.4.EVENT_SID_TYPE}${.SDATA.win@18372.4.EVENT_TYPE}${HOST}${.SDATA.win@18372.4.EVENT_CATEGORY}${MESSAGE}
For Windows Event Collector:${BSDDATE}${HOST}MSWinEventLog${.SDATA.Event.System.Level}${.SDATA.Event.System.Channel}${.SDATA.Event.System.EventRecordID}${WEEKDAY} ${MONTHNAME} ${DAY} ${HOUR}:${MIN}:${SEC} ${YEAR}${.SDATA.Event.System.EventID}${.SDATA.Event.RenderingInfo.Provider}${.SDATA.Event.EventData.SubjectUserName}${.SDATA.Event.EventData.ClientProcessId}${.SDATA.Event.RenderingInfo.Keywords.Keyword}${.SDATA.Event.System.Computer}${.SDATA.Event.RenderingInfo.Task}${.SDATA.Event.RenderingInfo.Message}