Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

BalaBIt IT Security for Microsoft Windows Events

 

The Microsoft Windows Security Event Log DSM in JSA can accept Log Extended Event Format (LEEF) events from BalaBit's Syslog-ng Agent.

The BalaBit Syslog-ng Agent forwards the following Windows events to JSA by using syslog:

  • Windows security

  • Application

  • System

  • DNS

  • DHCP

  • Custom container event logs

Before you can receive events from BalaBit IT Security Syslog-ng Agents, you must install and configure the agent to forward events.

Before You Begin

Review the following configuration steps before you configure the BalaBit Syslog-ng Agent:

  1. Install the BalaBit Syslog-ng Agent on your Windows host. For more information, see your BalaBit Syslog-ng Agent documentation.

  2. Configure Syslog-ng Agent Events.

  3. Configure JSA as a destination for the Syslog-ng Agent.

  4. Restart the Syslog-ng Agent service.

  5. Optional. Configure the log source in JSA.

Configuring the Syslog-ng Agent Event Source

Before you can forward events to JSA, you must specify what Windows-based events the Syslog-ng Agent collects.

  1. From the Start menu, select All Programs> syslog-ng Agent for Windows> Configure syslog-ng Agent for Windows.

    The Syslog-ng Agent window is displayed.

  2. Expand the Syslog-ng Agent Settings pane, and select Eventlog Sources.
  3. Double-click Event Containers.

    The Event Containers Properties window is displayed.

  4. From the Event Containers pane, select the Enable radio button.
  5. Select a check box for each event type you want to collect:
    • Application - Select this check box if you want the device to monitor the Windows application event log.

    • Security - Select this check box if you want the device to monitor the Windows security event log.

    • System - Select this check box if you want the device to monitor the Windows system event log.

    Note

    BalaBit's Syslog-ng Agent supports other event types, such as DNS or DHCP events by using custom containers. For more information, see your BalaBit Syslog-ng Agent documentation.

  6. Click Apply, and then click OK.

    The event configuration for your BalaBit Syslog-ng Agent is complete. You are now ready to configure JSA as a destination for Syslog-ng Agent events.

Configuring a Syslog Destination

The Syslog-ng Agent allows you to configure multiple destinations for your Windows based events.

To configure JSA as a destination, you must specify the IP address for JSA, and then configure a message template for the LEEF format.

  1. From the Start menu, select All Programs> Syslog-ng Agent for Windows> Configure syslog-ng Agent for Windows.

    The Syslog-ng Agent window is displayed.

  2. Expand the Syslog-ng Agent Settings pane, and click Destinations.
  3. Double-click Add new server.

    The Server Property window is displayed.

  4. On the Server tab, click Set Primary Server.
  5. Configure the following parameters:
    • Server Name - Type the IP address of your JSA console or Event Collector.

    • Server Port - Type 514 as the TCP port number for events to be forwarded to JSA

  6. Click the Messages tab.
  7. From the Protocol list, select Legacy BSD Syslog Protocol.
  8. In the Template field, define a custom template message for the protocol by typing:

    <${PRI}>${BSDDATE} ${HOST} LEEF:${MSG}

    The information that is typed in this field is space delimited.

  9. From the Event Message Format pane, in the Message Template field, type or copy and paste the following text to define the format for the LEEF events:Note

    It is suggested that you do not change the text.

    1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|devTime=${R_YEAR}-${R_MONTH}-${R_DAY}T ${R_HOUR}:$ {R_MIN}:${R_SEC}GMT${TZOFFSET} devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE} sev=${EVENT_LEVEL} resource=${HOST} usrName=${EVENT_USERNAME} application=$ {EVENT_SOURCE} message=${EVENT_MSG}

    Note

    The LEEF format uses tab as a delimiter to separate event attributes from each other. However, the delimiter does not start until after the last pipe character for {Event_ID}. The following fields must include a tab before the event name: devTime, devTimeFormat, cat, sev, resource, usrName, application, and message.

    You might need to use a text editor to copy and paste the LEEF message format into the Message Template field.

  10. Click OK.

    The destination configuration is complete. You are now ready to restart the Syslog-ng Agent service.

Restarting the Syslog-ng Agent Service

Before the Syslog-ng Agent can forward LEEF formatted events, you must restart the Syslog-ng Agent service on the Windows host.

  1. From the Start menu, select Run.

    The Run window is displayed.

  2. Type the following text:

    services.msc

  3. Click OK.

    The Services window is displayed.

  4. In the Name column, right-click on Syslog-ng Agent for Windows, and select Restart.

    After the Syslog-ng Agent for Windows service restarts, the configuration is complete. Syslog events from the BalaBit Syslog-ng Agent are automatically discovered by JSA. The Windows events that are automatically discovered are displayed as Microsoft Windows Security Event Logs on the Log Activity tab.

Configuring a Log Source

JSA automatically discovers and creates a log source for syslog events from LEEF formatted messages.

These configuration steps are optional.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your BalaBit Syslog-ng Agent log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Microsoft Windows Security Event Log.
  9. Using the Protocol Configuration list, select Syslog.
  10. Configure one of the following parameters from the table:

    Table 1: Syslog Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from the BalaBit Syslog-ng Agent.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The configuration is complete.