Is it possible to forward Windows.ETW.FileCreation events to a remote syslog server?

[Daniel D'Angeli]

Hi,

i am trying to integrate Velociraptor with the Wazuh SIEM and my goal is to send the events generated by the Windows.ETW.FileCreation artifact to the Wazuh syslog server.

Is it possible?

Regards,

Daniel D.

[Mike Cohen]

Hi Daniel,

 syslog is not a particularly good format to forward logs because it is not structured. We do allow the regular server logs (which include the audit logs) to be forwarded via syslog but we dont have a syslog plugin so can not forward from VQL.  (Maybe we should add that?).

Usually people forward to elastic, json files or http (e.g. via REST API or some sort).

Thanks

Mike

 

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/e03ba3f5-336e-43ac-bef3-96758e59e24an%40googlegroups.com.