English
Русский
Snare: Stream your Windows event logs to Linux
Here we discuss how to streamWindows event logs to Linux syslog. This can be useful, e.g. to unify logging and streamline administrator efforts.
Snare for Windows is a Windows NT / 2000 / XP / 2003 compatible service that interacts with the underlying Windows Eventlog subsystem to facilitate remote, real-time transfer of event log information. Snare is freeware, released under the terms of the GNU Public Licence (GPL). Event logs from the Security, Application and System logs, as well as the new DNS, File Replication Service, and Active Directory logs are supported. The agent also accommodates custom Windows event logs. Log data is converted to text format, and delivered to a remote Snare or Syslog server with configurable and dynamic facility and priority settings.
On Windows
This Snare installation procedure is based on the program documentation) and my experience.
First, we install SnareSetup-3.1.7-MultiArch.exe. Installation is straightforward. Only two things have to be decided, when asked by the intaller: say yes to let Snare take over control of EventLog configuration. When asked about remote control interface, I chose local only, with password. I consider this kind of security reasonable.
After installation access Snare with web browser at http://localhost:6161 and use initial user/password = snare/snare to login. Switch to the network configuration section at the left frame and set parameters as follows:
- override detected dns name -- choose_your_favorite_name (this avoids extra searches in DNS and improves performance)
- destination snare server address -- ip_address_of_your_linux_box (if windows and linux have VPN connections, avoid them and choose direct IPs)
- destination port -- 514
- perform scan of all objectives and choose maximum criticality -- no
- allow snare automatically set audit informateion -- yes
- allow snare to automatically set file audit configuration -- yes
- export snare log data to file -- no
- enable active usb auditing -- no
- enable syslog header -- yes
- syslog facility -- local5
- syslog priority -- notice
Restart the SNARE service
Additional settings on the Windows domain controller
I needed a little more domain controller events than MS configures by default. To extend system event monitoring, log in Windows as administrator and open Start / Administration / Domain controller security policy. In the MMC interface open Local Policies / Audit and set following paramers:
| English name | Russian name |
|---|---|
| TO DO | Вход в систему -- успех+отказ (локальные входы ?) |
| TO DO | Доступ к объектам -- нет |
| TO DO | Доступ к службе каталогов -- успех+отказ |
| TO DO | Изменение политики -- успех+отказ |
| TO DO | Использование привилегий -- нет |
| TO DO | Отслеживание процессов -- нет |
| TO DO | Системные события -- успех+отказ (перезагрузки итп) |
| TO DO | События входа в систему -- успех+отказ (удаленные входы ?) |
| TO DO | Управление учетными записами -- успех+отказ |
On Linux
Now it's time for the Linux part.
If you use a firewall like iptables, enable UDP traffic on port 514 from your Windows machine. Use the following rule in /etc/sysconfig/iptables:
-A INPUT -p udp -m udp -d 10.30.0.1 --dport 514 -j ACCEPT
By default syslog daemon (rsyslogd) does not allow remote connections. On CentOS it is enabled by the "-r" daemon flag in /etc/sysconfig/syslog:
SYSLOGD_OPTIONS="-r -m 0"
On other systems, like Fedora or Ubuntu, your mileage may vary.
Now you have to configure how syslog treats local5/notice log lines from Windows. For example, you can add to /etc/syslog.conf:
# windows event log local5.* /var/log/windows-ru-cp1251.log
and disable local5 messages in /var/log/messages
*.info;....;local5.none /var/log/messages
Now restart syslog
service syslog restart
Log encoding
On russian edition of Windows 2003 / XP the event log will contain cp1251-encoded cyrillic messages. In Linux I want it in UTF8, so I needed a stream service. We can either do this on fly by using the "tail -f | encoder" combination, or use cron. I failed to fix the former method, as both iconv and recode buffer incoming instream internally, so that latest messages are always missing from log. So we fall back to cron.
Create executable script /etc/localsite/syslog/winlog-iconv
#!/bin/sh CP1251=/var/log/windows-ru-cp1251.log UTF8=/var/log/windows-ru.log [ ! -r $CP1251 -o $CP1251 -ot $UTF8 ] && exit 0 iconv -f cp1251 -t utf8 -o $UTF8 $CP1251 2>/dev/null exit 0
Setup a crontab entry in /etc/cron.d/winlog-iconv
*/5 * * * * root /etc/localsite/syslog/winlog-iconv
Restart cron
service crond restart
LogWatch
Logwatch can be used to analyze Windows logs. Use the following scripts as a basis for your setup:
- /etc/log.d/conf/logfiles/windows.conf
- /etc/log.d/conf/services/windows.conf
- /etc/log.d/scripts/logfiles/windows/applydate
- /etc/log.d/scripts/logfiles/windows/removeheaders
- /etc/log.d/scripts/services/windows
Attachments
Bookmark this post on:
Comments
Post new comment