Kamis, 23 Oktober 2008

Windows Syslog Agents Plus Splunk

I've been mulling strategies for putting Windows Event Logs into Splunk. Several options exist.


  1. Deploy Splunk in forwarding mode on the Windows system.

  2. Deploy a Syslog agent on the Windows system.

  3. Deploy OSSEC on the Windows system and sending OSSEC output to Splunk.

  4. Deploy Windows Log Parser to send events via Syslog on a periodic basis.

  5. Retrieve Windows Event Logs periodically using WMIC.

  6. Retrieve Windows Event Logs using another application, like LogLogic Lasso or DAD.


I'd done number 2 before using NTSyslog, so I decided to see what might be newer as far as deploying Syslog agents on Windows goes.

I installed DataGram SyslogAgent, a free Syslog agent onto a Windows XP VM.



It was very easy to set up. I pointed it toward a free Splunk instance running on my laptop and got results like the following.



I noticed some odd characters inserted in the log messages, but nothing too extraordinary.

Next I tried the other modern free Syslog agent for Windows, SNARE. Development seems very active. I configured it to point to my Splunk server.



Next I checked the Splunk server for results.



As you can see the messages appear to be formatted a little better (i.e., no weird characters).

I was able to find logon messages recorded at different times by different Syslog agents. In the following screen capture, the top message is from SNARE and the bottom is from SyslogAgent.



I think if I decide to use a Syslog agent on Windows, I'll spend more time validating SNARE.

0 komentar:

Posting Komentar