Forward Windows system Event logs to a Linux Syslog Server with no agent

Question

• We have a SCOM 2012 server.

• We have SNARE agents for PCI compliance, but now we want to save money by gathering all events for all Windows servers using its native features.

• We also have a centralized Linux server running SYSLOG that will aggregate the logs to our log retention appliance (this is all for PCI purposes)

Thus, my question:

Can a windows server (SCOM 2012) forwards the events logs to a Linux syslog server? I assume this would occur by following a standard flat file format or something similar.

Thanks

Answer 1

You need to use a Syslog agent, as Windows doesn't provide one.

...the Windows OS doesn’t include a syslog agent that is capable of sending syslog data to a syslog server. Without a syslog agent, not only can’t the Windows OS send syslog messages to a syslog server but it also can’t send syslog messages from any applications running in the Windows OS (like a web server or database).

Source

Both that source page, and Googling for "Windows Syslog Agent" provide many different Syslog agents you can try.

Answer 2

You might try NXLog on the Linux server to recieve the native WEF events from Windows and forward them to the syslog server since NXLog has a community edition. I don't have the resources to try this at the moment. If NXLog is smart enough to turn the WEF's into text before forwarding to syslog then it might work, otherwise it could spray binary noise into syslog. Please report back if it works:

1. Configure WEF

[ https://adamtheautomator.com/windows-event-collector/ ]

• Create a GPO via the Group Policy Management Console. Inside of the GPO, navigate to Computer Configuration → Policies → Administrative Templates → Windows Components → Event Forwarding → Configure target subscription manager.
• Set the value for the target subscription manager to the WinRM endpoint on the collector. You will set the Server to be in the format:
  • Server=http://hostname:5985/wsman/SubscriptionManager/WEC,Refresh=60

2. Configure NXLog:

(The WEF config to send to NXLog was copied from here, but see my config at the bottom of this SE answer to do the actual forwarding)

Create and map an Active Directory domain user

For a WEC server on a Linux machine to be able to use Kerberos authentication, a corresponding user needs to be created in Active Directory and mapped to a Kerberos principal name.

On the domain controller, create a new user with its logon name matching the hostname of the WEC server.
Go to Administrative Tools > Active Directory Users and Computers > example.com > Users.

Right click and choose New > User.

    First name: linux-wec

    Full name: linux-wec

    User logon name: linux-wec

    Set a password for the user.

    Uncheck User must change password at next logon.

    Check Password never expires.

Right click on the new user, click Properties, and open the Account tab.

    Check This account supports Kerberos AES 128 bit encryption.

    Check This account supports Kerberos AES 256 bit encryption.


On the DNS server, create an A record for linux-wec.example.com.
Go to Administrative Tools > DNS > Forward Lookup Zones > example.com.

Right click and choose New Host (A or AAAA)….

Add a record with name linux-wec and IP address 192.168.0.3.

Check the Create associated pointer (PTR) record option.


Back on the domain controller, open a command prompt and execute these commands. Use the same <password> that was specified when the above user was created. These commands map the domain account to the Kerberos principal names and generate two keytab files containing the shared secret.
> ktpass /princ hosts/linux-wec.example.com@EXAMPLE.COM /pass <password> /mapuser EXAMPLE\linux-wec -pType KRB5_NT_PRINCIPAL /out hosts-nxlog.keytab /crypto AES256-SHA1
> ktpass /princ http/linux-wec.example.com@EXAMPLE.COM /pass <password> /mapuser EXAMPLE\linux-wec -pType KRB5_NT_PRINCIPAL /out http-nxlog.keytab /crypto AES256-SHA1
Copy the resulting hosts-nxlog.keytab and http-nxlog.keytab files to the WEC server.

Configure Kerberos on the WEC server

Now that the Active Directory user has been created and mapped to the principal name, the WEC server can be configured for Kerberos authentication.

Confirm that the Kerberos krb5 client and utility software are installed on the WEC server. The required package can be installed with yum install krb5-workstation or apt install krb5-user.
Edit the default Kerberos configuration file, usually located at /etc/krb5.conf.
In section [domain_realm] add:

.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

In section [realms] add:

EXAMPLE.COM = {
 kdc = example.com
 admin_server = example.com
}


Use ktutil to merge the two keytab files generated above.
ktutil
ktutil:  rkt /root/hosts-nxlog.keytab
ktutil:  rkt /root/http-nxlog.keytab
ktutil:  wkt /root/nxlog-result.keytab
ktutil:  q
Validate the merged keytab.
klist -e -k -t /root/nxlog-result.keytab
Keytab name: FILE:/root/nxlog-result.keytab
KVNO Timestamp           Principal

5 17.01.2021 04:20:08 hosts/linux-wec.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   4 17.01.2021 04:20:08 http/linux-wec.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
Either copy the keytab into place, or merge it if there are already keys in /etc/krb5.keytab.
To copy the keytab:

# cp /root/nxlog-result.keytab /etc/krb5.keytab

To merge the keytab and validate the result:

# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  rkt /root/nxlog-result.keytab
ktutil:  wkt /etc/krb5.keytab
ktutil:  q

# klist -e -k -t /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   <other entries>
   5 17.01.2021 04:20:08 hosts/linux-wec.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   4 17.01.2021 04:20:08 http/linux-wec.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)


Verify that the user account used by the NXLog service has sufficient privileges to open and read the /etc/krb5.keytab file. If not, Kerberos authentication will fail.
Test that the authentication with Active Directory is working successfully when using the keytab. Run the following command on the Linux WEC server. If the configuration is correct a ticket-granting ticket (TGT) will be created and cached. This command should be invoked with the same user that the NXLog service runs as. By default, it uses the nxlog user account.
kinit -kt /etc/krb5.keytab http/linux-wec.example.com@EXAMPLE.COM
Verify the ticket was obtained by running klist as the same user from the previous step:
klist
Ticket cache: KCM:0
Default principal: http/linux-wec.example.com@EXAMPLE.COM
Valid starting     Expires            Service principal
28/01/21 11:41:44  28/01/21 21:41:44  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 04/02/21 11:41:44

#3 Use this NXLog config to proxy Windows to Syslog:

# Recieve from native WEF:
<Input windows_events>
    Module              im_wseventing
    Address             https://linux-wec.example.com:5985/wsman
    ListenAddr          0.0.0.0
    Port                5985
    HTTPSCertFile       /path/to/server-cert.pem
    HTTPSCertKeyFile    /path/to/server-key.pem
    HTTPSCAFile         /path/to/ca-cert.pem
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
# Log connections for testing and troubleshooting
LogConnections      TRUE

</Input>
Send it to a syslog server:
<Output udp>
    Module  om_udp
    Host    192.168.1.1:514
</Output>
(or using the syntax prior to NXLog EE 5,
where the port is defined in a separate directive.)
#<Output udp>
Module  om_udp
Host    192.168.1.1
Port    514
#</Output>
Route WEF to UDP
<Route uds_to_udp>
    Path    im_wseventing => udp
</Route>