Documentation forThreat Monitor

Add additional Windows event logs

By default, Threat Monitor captures system, application, and security event logs. This procedure is for the non-standard event logs if you need to add an additional data source. To configure this section, please pull up the event logs on the target machine, select the Details tab, and then click the XML View button. Please note the channel value as you will need that later in this procedure.

Find the procedure for configuring the standard Windows system, application, and security event logs here.

  1. In Threat Monitor, navigate to Admin > Manage Collectors.
  2. In the sensors list, select a collector, and then click Edit.

  3. Click the OSSEC tab.
  4. Click the Remote Logs tab, and then click Add.

  5. From the Log Format drop-down list, select eventlog.
  6. Change Log Location to AD FS/Admin.

    Update the log location to the to the channel value referenced in the beginning of this procedure.

  7. From the Type drop-down list, select Host.
  8. From the next drop-down list, select the appropriate host, and then click Create.
  9. To push the changes out to the OSSEC agents, click Restart Required.

    If you have already configured Syslog to pull in Windows Event Logs, then skip the rest of the steps in this procedure as the WinEvtLog plugin will gather all additional Windows Event Logs.

  10. Click the Syslog tab.

  11. Click the Log Destinations tab, and then click Add.

  12. In the Destination Setup window, select Both File and Elastic SOC.

  13. Enter a unique name based on the data source (winevtlog).

    When entering a name, do not use spaces.

  14. Enter a file storage location on the collector, select the appropriate plugin (winevtlog), and then click Save.

    This is typically located in /var/log/<filename>.log. For example, /var/log/winevtlog.log. You must specify a log destination for each plugin.

  15. Click the Actions tab, and then click Add.

    The WinEvtLog filter is added by default.

  16. Add four rows, and then make the following selections from the Type and Value drop-down lists:
    • Source: ossec
    • Filter: WinEvtLog
    • Destination: winevtlog (Elastic SOC)
    • Destination: winevtlog (file)
  17. To save your settings, click Apply changes.
  18. Click the Data Sources tab.
  19. Click New Plugin.
  20. From the Active Plugin list, select winevtlog.
  21. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error Workers, and then click Save.

    Please note that this is necessary to create the queues to process your incoming logs.

  22. For each queue, click Play.
  23. Set Parser Workers to 5 and Storage Workers to 10.
  24. Click Save.