Syslog is one of the most interoperable protocols currently in existence. It is supported by all UNIX platforms, and most network hardware vendors, and has been in operation since at least 1985 with no significant change to its basic specification.
Strangely, although Microsoft generally adopts popular standards such as TCP/IP, SNMP, HTTP, XML, and specifications, Microsoft support for syslog protocol is conspicuously absent. While Microsoft has an elegant logging system for the Windows operating system, Windows event messages to not generally interoperate directly with standard SIEM strategies.
Two popular techniques currently exist to compensate for this omission by Microsoft: agentless operation can be achieved via WMI or RPC calls, via a periodic polling scheme. However, this technique imposes a number of security risks and complications. In particular, it is difficult for real-time SIEM systems to guarantee timely detection of critical system events.
A second popular method of monitoring Windows event logs is to install a light-weight Windows Service. This “agent” process reads Microsoft event log information, logged in real-time, and converts these messages to standard syslog messages, which are sent to a syslog receiver.
The CorreLog Windows Agent and Windows Tool Set (WTS) instruments a windows platform with syslog capability. This permits easy integration of the CorreLog Correlation Server with any Microsoft Windows platform.
The CorreLog system works with UNIX platforms, Routers, and various application programs with no need to install an agent. To monitor Windows platforms, the user installs the CorreLog Windows Agent, which usually takes under one minute, and does not require the platform to be rebooted. After installation, Windows event log messages will immediately begin forwarding over to the CorreLog Server program, permitting data aggregations and correlation of Windows event messages.
The CorreLog Agent comes with various services, programs and utilities installed via a standard Windows dialog on Windows workstation or server platforms:
- Syslog Message Service. This is a compact but powerful Windows service, which listens for new events in the event log, and then converts these events to Syslog messages. The process uses minimal CPU and memory, and runs as a normal Windows service on XP, Vista, and 200X servers.
- Logfile Monitor Service. This is a compact but powerful utility program (actually incorporated in the CorreLog Syslog Message Service above, but separately enabled), which allows arbitrary log files to be instrumented with match patterns. When specific match patterns are detected in streaming log files, Syslog messages of the appropriate severity and facility are sent to the Syslog server program.
- Remote Management Utility. This utility provides encryption services, and remote configuration capabilities that allow large numbers of managed devices to be remotely configured from a central management console. This greatly assists in the maintenance of agent parameters, encryption keys, or when performing group reconfigurations of correlation and filtering rules.
- Sendlog API. This is a simple API and command line utility that can be used by programs, or within batch files, needed to send Syslog messages to CorreLog or another Syslog server host. The command line utility is a completely stand-alone executable that relies on no other files or DLLs in the system, hence is easily adapted specific applications.
The CorreLog Windows Agent is designed to be highly secure, non-intrusive, and easy to deploy. Although the agent program is very simple to get started with (and may require no configuration whatsoever by the user, other than specification of the syslog receiver destination address) the agent also contains numerous powerful features that leverage the benefits of installing this program on your Windows platforms. Specific features are as follows:
- Monitoring of All Event Logs. The CorreLog Windows Agent discovers your event logs, and begins monitoring them. If you have specialized event logs (possibly related to Windows options or application software) data from these logs is automatically discovered and forwarded to CorreLog.
- Monitoring of Streaming Log Files. In addition to monitoring the standard Windows logs, you can configure the agent to monitor streaming log files by name, including log files with names derived from date and times. This leverages your ability to instrument any log file, such as application error logs, with syslog capability.
- Source Filtering Of Events. To reduce network loads or enhance security, you can implement filtering within the agent. You can forward all messages that do not match your configured filters, or exclude all messages except those that match your configured filters. Multiple patch patterns can be configured, consisting of keywords, phrases, or wildcards.
- Ability To Assign Facilities and Severities To Messages. The Windows Agent comes with pre-configured match patterns that automatically assign reasonable values for the facility and severity codes associated with syslog messages. Facilities and severities can be further refined using various strategies, such as having the agent automatically assign values based upon message content, or explicitly matching messages. You have complete control over message facility and severity codes, especially useful for correlating messages at the syslog receiver.
- Remote Configuration Utilities. The Windows Agent provides optional support for secure remote configuration of filters and other agent parameters. This assists with agent maintenance, permitting you to change parameters of the agent without having to log into the platform. Authentication is based upon encrypted passkey, source address, or external encryption module. Remote configuration of agents is directly supported via CorreLog Server screens, as well as a command line remote configuration utility.
- Data Encryption. For those sites requiring the encryption of messages, the Windows Agent supports encryption of forwarded messages using either an internal encryption method that works with the CorreLog server, or an external AES-256 encryption scheme. (The AES encryption is available only to USA customers, due to export restrictions on encryption technology). This prevents third parties from eaves-dropping on your management data.
- TCP/IP Data Tunnel. The Windows Tool Set includes an encrypting TCP tunneling service that works with the CorreLog Server. This optional program accepts syslog messages (from the Windows Agent or other location) and then encrypts and forwards this message to CorreLog using secure TCP. The tunneling process comes with all versions of the agent, and assists you with routing messages through firewalls, further securing your data and preventing loss of UDP messages which might otherwise occur.
- Syslog API. The Windows Tool Set includes a “sendlog.exe” API that allows you to send your own arbitrary messages to CorreLog or other syslog receivers. This allows you to construct your own monitor programs, such as via the windows “Startup” facility or Windows Task Scheduler, useful for instrumenting home-grown programs, or providing specialized management information to the CorreLog Server. The “sendlog.exe” program operates as a completely stand-alone executable, or can work with the encryption scheme of the main Windows Agent.
The CorreLog Windows Agent software runs on Windows Vista, XP, and 200X workstation or server platforms. The program does not require Java, or .NET, or a relational database, and requires minimal CPU, disk space, and memory. Installation is performed via a manual Windows dialog, or via standard Windows MSI. The tool set additionally provides utilities to allow users to craft custom installation procedures via command line utilities.
The CorreLog Agent software includes a ready-to-run configuration, and 50+ page CorreLog Agent User Reference Manual in Adobe PDF format.
The CorreLog Agent system is designed for extremely easy installation. A typical installation requires less than one minute, and does not require the host platform to be rebooted.
This software is available as a standard component of the CorreLog Server software, and is found in the “wintools” directory of the CorreLog root directory, after the CorreLog Server system is installed. It can also be downloaded from the “Home” screen of the CorreLog Server system.
Stand-alone versions of the program, without the CorreLog Server, are for immediate download from this website.