Documentation forThreat Monitor

Add Windows event logs

Follow this procedure to collect the standard Windows system, application, and security event logs through the OSSEC agent.

  1. In Threat Monitor, navigate to Admin > Manage Collectors.
  2. In the sensors list, select a collector, and then click Edit.

  3. Click the Syslog tab.

  4. Click the Log Destinations tab, and then click Add.

  5. In the Destination Setup window, select Both File and Elastic SOC.

  6. Enter a unique name based on the data source (winevtlog).

    When entering a name, do not use spaces.

    Delete the default log destination for winevtlog.

  7. Enter a file storage location on the collector, and then select the appropriate plugin.

    This is typically located in /var/log/<filename>.log. For example, /var/log/winevtlog.log. You must specify a log destination for each plugin.

    For collecting standard windows system, application, and security event logs, select the winevtlog (Windows Event Logs taken from Ossec) plugin.

  8. From the Process data for drop-down list, select your collector.
  9. Click the Actions tab, and then click Add.

    The winevtlog filter is added by default.

  10. Add four rows, and then make the following selections from the Type and Value drop-down lists:
    • Source: ossec
    • Filter: winevtlog
    • Destination: winevtlog (Elastic SOC)
    • Destination: winevtlog (file)
  11. To save your settings, click Apply changes.
  12. Click the Data Sources tab.
  13. Click New Plugin.
  14. From the Active Plugin list, select winevtlog.
  15. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error Workers, and then click Save.

    Please note that this is necessary to create the queues to process your incoming logs.

  16. For each queue, click Play.
  17. Set Parser Workers to 10, Storage Workers to 10, and then Error Workers to 5.
  18. Click Save.