How to collect Windows Event Logs with syslog-ng without installing an agent

With the release of syslog-ng Premium Edition 7.0.6, you can collect Windows event logs without installing any third party application on your Windows-based computer.

The benefits are obvious:

  • You don’t need to install any additional application (reducing administrative overhead and possible security risk).
  • You can manage the subscription from Windows Group Policy (permission, certificates, destination).

How does it work?

First of all, install syslog-ng Premium Edition 7.0.6 or newer on your Linux-based computer. In my case, I installed it on Ubuntu Xenial. The event logs will come from a server running Windows Server 2016.

syslog-ng will use the Windows Event Collector (WEC) tool of syslog-ng to collect logs from Windows. This tool is shipping with the syslog-ng installer. WEC uses the native Windows Event Forwarding protocol via subscription to collect the events.

You only need to set up a few things on Windows:

  • Generate and install the certificates because the communication uses HTTPS.
  • configure the required permissions to allow NETWORK SERVICE to access the installed certificate and to read the event logs (by adding it to Event Log Readers group).
  • Set up the forwarder (it’s single-line setting).

You can find the details in the syslog-ng PE Administrator’s Guide: https://syslog-ng.com/documents/html/syslog-ng-pe-latest-guides/en/syslog-ng-pe-wec-guide/html/index.html.

syslog-ng:

  • Generate and install the certificates (the same way as on Windows).
  • Set the configuration file.
  • Enable WEC to run as a service.

After you installed syslog-ng Premium Edition, you will find the WEC tool next to syslog-ng, in /opt/syslog-ng/sbin (if you installed syslog-ng using the default path).

root@ubuntu-xenail-amd64:~# /opt/syslog-ng/sbin/wec  -v
Windows Event Collector for syslog-ng (WEC) v1.0.0

The configuration of my WEC is at the end of this blog. This config will allow any computer to send event logs to this WEC (if it passed the certificate check), but will collect only login and logout events from the security container. This is a debug configuration, so don’t forget to set the debug level to info when you are ready.

Just replace the cert and key files with yours then start it as a foreground process.

root@ubuntu-xenail-amd64:~# /opt/syslog-ng/sbin/wec -c /opt/syslog-ng/etc/wec.yaml
2018-01-04T15:09:59.152+0100    INFO    Event collector server started    {"port": 5986}
2018-01-04T15:09:59.154+0100    INFO    Trying to connect to unix datagram socket    {"unix-datagram": "/opt/syslog-ng/var/run/wec.sock"}
2018-01-04T15:09:59.155+0100    INFO    New CA cert    {"filename": "/opt/syslog-ng/etc/cadir/e3e00305-d873-4c94-80ff-c2ef9017f384.cacert", "blockIndex": 0, "RootCA": true, "_ca_thumbprint": "ACBD5EAB627D93AC6302C11C6108D30B91D494F3"}
2018-01-04T15:09:59.155+0100    INFO    Could not connect to unix datagram socket    {"unix-datagram": "/opt/syslog-ng/var/run/wec.sock", "error": "dial unixgram /opt/syslog-ng/var/run/wec.sock: connect: no such file or directory"}
2018-01-04T15:10:03.386+0100    DEBUG    Connection established    {"address": "10.140.1.11:58651"}

You can see that WEC is listening on port 5986 and tries to connect to a socket that does not exist (because I haven’t yet started syslog-ng).

And there is another important entry: the connection is established with my Windows 2016 (10.140.1.11 is the IP address of this Windows).

How does the communication happen between WEC and syslog-ng?

  • When WEC reads the event logs from Windows, it writes the logs to the given socket in XML form.
  • syslog-ng reads this socket and parses the incoming XML log. After parsing is done, you can for example forward it to your SIEM via TCP+SSL.

Now, start syslog-ng with the configuration shown at the end of this post. This configuration overrides the default prefix of the windowsevent source, and will store every bit of the XML log in SDATA (this can be useful if you want to forward them for example to a syslog-ng Store Box).

/opt/syslog-ng/sbin/syslog-ng -Fe

In the WEC log, you will see the following changes:

2018-01-04T15:21:28.248+0100    INFO    Connected to unix datagram socket    {"unix-datagram": "/opt/syslog-ng/var/run/wec.sock"}
...
2018-01-04T15:21:28.778+0100    DEBUG    eventEndpoint    {"clientAddress": "10.140.1.11:59032", "subscriptionID": "B5D1AB74-BB40-50F0-916E-EF5431292608", "id": "1"}
2018-01-04T15:21:28.779+0100    DEBUG    actionHandler    {"messageID": "uuid:20DFA6E2-6EFA-412F-A74D-2E8F1A3EDAB8", "action": "http://schemas.dmtf.org/wbem/wsman/1/wsman/Events"}
2018-01-04T15:21:28.779+0100    DEBUG    events
2018-01-04T15:21:28.781+0100    DEBUG    Message written to unix-datagram    {"event": "<Event xmlns='

It could connect to the datagram socket (because syslog-ng has already been started and listening on this socket), Windows began to forward the events to WEC and WEC forwards them to syslog-ng.

in the output file of syslog-ng, you will find the event:

<13>1 2018-01-04T15:27:09+01:00 ubuntu-xenail-amd64 - - - [Event.RenderingInfo.Keywords Keyword="Audit Success"][Event.RenderingInfo _Culture="en-US" Message="An account was successfully logged on.
Subject:
Security ID:            S-1-5-18
…

A Windows event log can be quite big, so this is just a little part of the full log.

So now that we have a Windows that forwards the events to the WEC tool that is running on Linux next to syslog-ng, and that WEC tool forwards the logs to syslog-ng also running on Linux.  We did not have to install any extra application on Windows.

Only one thing is left, enabling WEC to run as a service (because you don’t want to start it manually):

systemctl enable syslog-ng-wec (to allow to start at boot)
systemctl start syslog-ng-wec

For more details, please read the Windows Event Collector section of the Administrator’s Guide.

Example WEC tool config:

server: server
port: 5986
cadir: /opt/syslog-ng/etc/cadir
certfile: /opt/syslog-ng/etc/wec.crt
keyfile: /opt/syslog-ng/etc/wec.key
 
log:
  level: "debug" # set it to info when it is in production
 
eventdestination:
  unixdatagram: "/opt/syslog-ng/var/run/wec.sock"
 
subscriptions:
  - name: "pzolee_test_subscription"
    computers:
      - "*"
    contentformat: "RenderedText"
    heartbeats: 900.000
    connectionretry: 60.0
    batchtimeoutlimit: 900.000
    queries: |
      <QueryList>
        <Query Id="0">
          <Select Path="Security">*[System[(EventID=4624 or EventID=4634)]]</Select>
        </Query>
      </QueryList>

Example syslog-ng configuration:

root@ubuntu-xenail-amd64:/opt/syslog-ng# cat /opt/syslog-ng/etc/syslog-ng.conf
@version: 7.0
@include "scl.conf"
source s_windowsevent_source {
windowsevent(prefix(.SDATA)
unix-domain-socket(/opt/syslog-ng/var/run/wec.sock));
};
destination d_file {
file("/var/testdb_working_dir/2a74bc1f-20e8-42d7-ad46-604250ac8ee4.txt" flags(syslog-protocol)
);
};
log {
source(s_windowsevent_source);
destination(d_file);
flags(flow-control);
};

Anonymous