Configurations to collect logs from MS windows terminal services

166 views
Skip to first unread message

chris

unread,
Jan 10, 2024, 3:32:30 AM1/10/24
to Wazuh | Mailing List
Hi Team,

Could you please help me to collect the logs from MS windows terminal services which can be decoded via  the default decoder "TerminalServices-Gateway" of wazuh.

Please share both the client side and server side configurations to be enabled or modified.

Now we are getting logs via event channel  as below,

{"win":{"system":{"providerName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","providerGuid":"{123-dhdyd-e646gd-25-340B4B24157F}","eventID":"1149","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x1000000000000000","systemTime":"2024-01-10T00:04:20.487511800Z","eventRecordID":"113072","processID":"1144","threadID":"71008","channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","computer":"sysX","severityValue":"INFORMATION","message":"\"Remote Desktop Services: User authentication succeeded:\r\n\r\nUser: USXERt\r\nDomain: DOMAINX\r\nSource Network Address: x.x.x.x\""},"eventXML":{"param1":"USXERt","param2":"DOMAINX","param3":"x.x.x.x"}}}


But we prefer to have the log format as below to decode via default decoder


2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(300): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met resource authorization policy requirements and was therefore authorized to connect to resource "resourceName".

Thanks for the support in advance.


Regards, 
Chris


Message has been deleted

Md. Nazmur Sakib

unread,
Jan 10, 2024, 4:25:41 AM1/10/24
to Wazuh | Mailing List

Hi Chris,


Log format eventchannel is used for Microsoft Windows event logs. It monitors every channel specified in the configuration file and shows every field included in it.

This can be used to monitor standard “Windows” event logs and "Application and Services" logs.

You will get the events in JSON format. 


The format you want to see your log is syslog format.


For that you will need to convert and save your log in a log file.

https://nxlog.co/page/eventlog-to-syslog.html

And Use Wazuh to read the file 


<localfile>

    <location>C:\Users\syslog\*</location>

    <log_format>syslog</log_format>

</localfile>


Then you will be able to get the value in the format you want.


Check this document to learn more about log collection:

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format



I hope you find this information helpful.


Regards

Md. Nazmur Sakib


chris

unread,
Jan 11, 2024, 3:17:40 AM1/11/24
to Wazuh | Mailing List
Hi Nazmur,

Thanks for your response.
Is it possible to collect logs in syslog format directly?

Md. Nazmur Sakib

unread,
Jan 11, 2024, 6:58:42 AM1/11/24
to Wazuh | Mailing List

Hi  Chris,


For windows event log It is not possible as the logs are not available in syslog formate.


You can use Logstash on a Windows host with a Wazuh agent to receive syslog, log to a file, and send those logs to the environment.


Check this document.

https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#logstash-on-windows


You will need help from Winlogbeat to ship Windows event logs to  Logstash.

Check this document.

https://www.elastic.co/beats/winlogbeat


I hope you find this information helpful.


Regards

Md. Nazmur Sakib

Reply all
Reply to author
Forward
0 new messages