BalaBIt IT Security for Microsoft Windows Events

The Microsoft Windows Security Event Log DSM in JSA can accept Log Event Extended Format (LEEF) events from BalaBit's Syslog-ng Agent.

The BalaBit Syslog-ng Agent forwards the following Windows events to JSA by using syslog:

Windows security
Application
System
DNS
DHCP
Custom container event logs

Before you can receive events from BalaBit IT Security Syslog-ng Agents, you must install and configure the agent to forward events.

Before You Begin

Review the following configuration steps before you configure the BalaBit Syslog-ng Agent:

Install the BalaBit Syslog-ng Agent on your Windows host. For more information, see your BalaBit Syslog-ng Agent documentation.
Configure Syslog-ng Agent Events.
Configure JSA as a destination for the Syslog-ng Agent.
Restart the Syslog-ng Agent service.
Optional. Configure the log source in JSA.

Configuring the Syslog-ng Agent Event Source

Before you can forward events to JSA, you must specify what Windows-based events the Syslog-ng Agent collects.

From the Start menu, select All Programs> syslog-ng Agent for Windows> Configure syslog-ng Agent for Windows.

The Syslog-ng Agent window is displayed.
Expand the Syslog-ng Agent Settings pane, and select Eventlog Sources.
Double-click Event Containers.

The Event Containers Properties window is displayed.
From the Event Containers pane, select the Enable radio button.
Select a check box for each event type you want to collect:
- Application - Select this check box if you want the device to monitor the Windows application event log.
- Security - Select this check box if you want the device to monitor the Windows security event log.
- System - Select this check box if you want the device to monitor the Windows system event log.
Note:
BalaBit's Syslog-ng Agent supports other event types, such as DNS or DHCP events by using custom containers. For more information, see your BalaBit Syslog-ng Agent documentation.
Click Apply, and then click OK.

The event configuration for your BalaBit Syslog-ng Agent is complete. You are now ready to configure JSA as a destination for Syslog-ng Agent events.

Configuring a Syslog Destination

The Syslog-ng Agent allows you to configure multiple destinations for your Windows based events.

To configure JSA as a destination, you must specify the IP address for JSA, and then configure a message template for the LEEF format.

From the Start menu, select All Programs> Syslog-ng Agent for Windows> Configure syslog-ng Agent for Windows.

The Syslog-ng Agent window is displayed.
Expand the Syslog-ng Agent Settings pane, and click Destinations.
Double-click Add new server.

The Server Property window is displayed.
On the Server tab, click Set Primary Server.
Configure the following parameters:
- Server Name - Type the IP address of your JSA console or Event Collector.
- Server Port - Type 514 as the TCP port number for events to be forwarded to JSA
Click the Messages tab.
From the Protocol list, select Legacy BSD Syslog Protocol.
In the Template field, define a custom template message for the protocol by typing:

<${PRI}>${BSDDATE} ${HOST} LEEF:${MSG}

The information that is typed in this field is space delimited.
From the Event Message Format pane, in the Message Template field, type or copy and paste the following text to define the format for the LEEF events:

Note:
It is suggested that you do not change the text.

1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|devTime=${R_YEAR}-${R_MONTH}-${R_DAY}T ${R_HOUR}:$ {R_MIN}:${R_SEC}GMT${TZOFFSET} devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE} sev=${EVENT_LEVEL} resource=${HOST} usrName=${EVENT_USERNAME} application=$ {EVENT_SOURCE} message=${EVENT_MSG}

Note:
The LEEF format uses tab as a delimiter to separate event attributes from each other. However, the delimiter does not start until after the last pipe character for {Event_ID}. The following fields must include a tab before the event name: devTime, devTimeFormat, cat, sev, resource, usrName, application, and message.

You might need to use a text editor to copy and paste the LEEF message format into the Message Template field.
Click OK.

The destination configuration is complete. You are now ready to restart the Syslog-ng Agent service.

Restarting the Syslog-ng Agent Service

Before the Syslog-ng Agent can forward LEEF formatted events, you must restart the Syslog-ng Agent service on the Windows host.

From the Start menu, select Run.

The Run window is displayed.
Type the following text:

services.msc
Click OK.

The Services window is displayed.
In the Name column, right-click on Syslog-ng Agent for Windows, and select Restart.

After the Syslog-ng Agent for Windows service restarts, the configuration is complete. Syslog events from the BalaBit Syslog-ng Agent are automatically discovered by JSA. The Windows events that are automatically discovered are displayed as Microsoft Windows Security Event Logs on the Log Activity tab.

Syslog Log Source Parameters for BalaBit IT Security for Microsoft Windows Events

If JSA does not automatically detect the log source, add a BalaBit IT Security for Microsoft Windows Events log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from BalaBit IT Security Syslog Agent:

Table 1: Syslog Parameters for the BalaBit IT Security for Microsoft Windows Events
Parameter	Value
Log Source Name	Type a name for the log source.
Log Source Description	Type a description for the log source.
Log Source type	Microsoft Windows Security Event Log
Protocol Configuration	Syslog
Protocol Configuration	Type the IP address or host name for the log source as an identifier for events from the BalaBit Syslog-ng Agent.