Logging is quintessential in figuring out problematic behavior of your machine. Windows logs can sometimes be muddled and not straightforward which can lead to increased time for debugging or troubleshooting problems. EventLog steps up to spotlight for collecting, reviewing and optionally alerting on all data you receive from your Windows servers and workstations. In some cases, centralized location for log collecting is mandatory. ​
Installing syslog server and forwarder
Windows itself has somewhat rigid EventLog forwarder (here you can learn more on this topic: https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection, https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2), which does not support everything necessary for configuring exporting log messages.
Any syslog exporter can be used, but in this text we will cover Snare Open Source Agent. Snare is lightweight log collector with quite smooth configuration. It can be downloaded either from Snare Solutions website or some alternative one (https://www.snaresolutions.com/products/snare-agents/open-source-agents/ or for example https://www.heise.de/download/product/snare-57491/download/danke?id=57491-1). After downloading the file, the installation is simple. Allow Snare to take over EventLog configuration and use built-in account or your system specific account.
On the next page we have Remote Control Interface, which needs to be enabled for the Snare configuration. Password is highly recommended and Local access should only strengthen the security.
This step marks the completion of Snare installation. Snare configuration can now be accessed via browser by using the following link: http://localhost:6161 (from the same machine).
You will be greeted with a few clickable pages. First, let's configure log forwarding by clicking on Network Configuration on the left side:
Mandatory fields are: Destination Snare Server address, Destination port and Enable syslog header. As for the syslog facility and syslog priority, they are completely configurable and will be shown that way in EventLog collector. Next, move on to Objectives Configuration:
This is a default configuration, which will probably be sufficient. However, if you want to include every message Snare collected, configure it like this:
Last but not least, go to Apply the Latest Audit Configuration and click on Reload settings. After that, syslog messages should start flowing to your Evenlog collector.
To check whether Snare is really collecting messages go to Current Events:
If messages are present, Snare is configured as intended and functioning.
Snare has numerous configuration options inside Objective configuration, so you can tailor it according to your organization's needs.