Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Raw Windows Events from a Centralized Log Manager

Created: 07 Jan 2013 • Updated: 09 Jan 2013 | 8 comments
This issue has been solved. See solution.

Here is my situation:

We have a Qradar log manager.  All of our Windows domain controllers are sending events to it via a QRadar agent.  QRadar is able to forward raw windows event logs to our Symantec SSIM.  My Symantec SSIM is receiving the logs, but the events are not normalized.  Nothing is being correlated, just raw events that SSIM doesn't know what to do with.

Other than installing Snare for Windows Event Collector on every domain controller, how can I get these windows events to my SSIM from my centralized log manager in a way that it knows what  do with them?

Comments 8 CommentsJump to latest comment

SK Ooi's picture

Do you have a sample of what the RAW logs from Qradar looks like?

 

In general Qradar can forward logs but the question becomes how Qradar send logs to SSIM and did Qradar modify the logs?

 

Specifically to Windows Collectors, SSIM uses a Windows Sensor to process those logs. If logs are coming in through other means then it will NOT be passed through the regular Windows Translator + SES Processor + Filtering/Aggregation.

 

Lets put up a sample RAW log and I can give you a definite answer

SK

mathell's picture

I assume QRadar is using syslog to send the messages? How is QRadar formatting these events?  You might try to see if you can format the events like Snare (QRadar would need to support this) and then use the Snare collector.  If QRadar can't do it, you might be able to put rsyslog in the middle and convert the events into the Snare format that way. FWIW, don't expect them to be correlated all that well.  SSIM does a pretty poor job of parsing Windows events.

VSK's picture

How is QRadar forwarding the raw windows event logs to our Symantec SSIM? Is it using the  universal/genric syslog?

-VSK

squarles's picture

I've got Qradar forwarding un-modified events from several domain controlers.  As far as I know, Qradar is just relaying the raw event.  This is what I get when I collect the raw event from my Universal Syslog Event Collector.

Description = Jan 08 11:52:24 domaincontroler1.tnbd.local AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=1.0.14    Source=Security    Computer=DOMAINCONTROLER1    User=SYSTEM    Domain=NT AUTHORITY    EventID=673    EventIDCode=673    EventType=8    EventCategory=9    RecordNumber=2512204049    TimeGenerated=1357667544    TimeWritten=1357667544    Message=Service Ticket Request: User Name: DELLPC$@TNBD.LOCAL User Domain: TNBD.LOCAL Service Name: DELLPC$ Service ID: TNB\MSJAKMOD56217$ Ticket Options: 0x40810000 Ticket Encryption Type: 0x17 Client Address: 10.4.169.151 Failure Code: - Logon GUID: {6f68f371-af48-f819-d713-6b917ee0fa9c} Transited Services: -

event_desc = Jan 08 11:52:24 domaincontroler1.tnbd.local AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=1.0.14    Source=Security    Computer=DOMAINCONTROLER1    User=SYSTEM    Domain=NT AUTHORITY    EventID=673    EventIDCode=673    EventType=8    EventCategory=9    RecordNumber=2512204049    TimeGenerated=1357667544    TimeWritten=1357667544    Message=Service Ticket Request: User Name: DELLPC$@TNBD.LOCAL User Domain: TNBD.LOCAL Service Name: DELLPC$ Service ID: TNB\DELLPC$ Ticket Options: 0x40810000 Ticket Encryption Type: 0x17 Client Address: 10.4.169.151 Failure Code: - Logon GUID: {6f68f371-af48-f819-d713-6b917ee0fa9c} Transited Services: -

 

mathell's picture

those look like QRadar proprietary formatted.  There really is no default plain text raw event on a Windows box, the event logs are in a proprietary binary format. I think you're either going to have to create a custom collector or convert into a format SSIM understands like Snare.

squarles's picture

Thanks for the look at this for me!

We may end up just putting snare agents on all the DCs. It would seem like the simplest solution.  I'm just trying to give my IT people all the options.

These are Windows Server 2003 Domain Controlers, would an "off box" windows event log collector work? 

 

 

mathell's picture

Yes, the SSIM supports both Snare collection and Event Collector 4.3 for Microsoft Windows.  "off-box" in the SSIM environment typically means not installed on the SSIM appliance, so you'll want to be careful with the terminology. I think what you mean is can it be installed so that you don't need an agent on each Windows host?  I don't have experience with this collector myself, but I'm pretty sure it can.

SOLUTION