Windows Event Log
The OS agent uses the .conf file to monitor events from the Windows Event Log.
The OS agent continues to use the WINEVENTLOGS
configuration
(.conf) file option to monitor events from the Windows Event Log. The agent monitors a comma-separated list of event logs
as shown in the following example:
WINEVENTLOGS=System,Security,Application
The OS agent also continues to use the WINEVENTLOGS=All
setting. The
All
setting refers to the following standard event logs: Security, Application,
System, Directory, Domain Name System (DNS), and File Replication Service (FRS) that come with Windows versions earlier than 2008. However, all the event logs
on the system are not checked.
The UseNewEventLogAPI
configuration file tag allows the event log (Windows Event Log 2008 or later) to access any new logs added
by Microsoft, and any Windows event logs created by other applications or the user. The new logs are listed by the
WINEVENTLOGS
keyword.
In the following example, the UseNewEventLogAPI
tag
is set to y
.
UseNewEventLogAPI=y
WINEVENTLOGS=Microsoft-Windows-Hyper-V-Worker-Admin
In this example, the Microsoft-Windows-Hyper-V/Admin
is
monitored on a Windows system
that has the Hyper-V role.
In the Windows Event Log, each event has the following fields in this order:
- Date in the following format: month, day, time, and year
- Event category as an integer
- Event Level
- Windows security ID. Any spaces in the Windows security ID are replaced by an underscore if
SpaceReplacement=TRUE
in the configuration (.conf) file.Note:SpaceReplacement=TRUE
is the default if you setUseNewEventLogAPI
toy
in the (.conf) file (designated that you are using the event log). - Windows source. Any spaces
in the Windows source are
replaced by an underscore if
SpaceReplacement=TRUE
in the configuration (.conf) file. - Windows event log keywords. Any spaces in the Windows event log keywords are replaced by an underscore if
SpaceReplacement=TRUE
in the configuration (.conf) file.Note: The keyword field that is described here is new to the Windows 2008 version of Event Log. It did not exist in the previous Event Log, and so its presence prevents you from reusing your old Event Log format statements directly. They must be modified to account for this additional field. - Windows event identifier
- Message text
For example, when an administrative user logs on to a Windows 2008 system, an event is generated in the Security log indicating the privileges that are assigned to the new user session:
Mar 22 13:58:35 2011 1 Information N/A Microsoft-Windows-
Security-Auditing Audit_Success 4672 Special privileges assigned to new logon.
S-1-5-21-586564200-1406810015-1408784414-500 Account Name:
Administrator Account Domain: MOLDOVA Logon ID:
0xc39cb8e Privileges: SeSecurityPrivilege
SeBackupPrivilege SeRestorePrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege
SeSystemEnvironmentPrivilege SeLoadDriverPrivilege
SeImpersonatePrivilege
Microsoft-Windows-Security-Auditing
event source, you write a format statement as
shown here:
REGEX BaseAuditEvent
^([A-Z][a-z]{2} [0-9]{1,2} [0-9]{1,2}:[0-9]{2}:[0-9]{2} [0-9]
{4}) [0-9] (\S+) (\S+) Microsoft-Windows-Security-Auditing (\S+)
([0-9]+) (.*)
timestamp $1
severity $2
login $3
eventsource "Microsoft-Windows-Security-Auditing"
eventkeywords $4
eventid $5
msg $6
END
For
the previous example event, the following example indicates the values that are assigned to slots:
timestamp=Mar 22 13:58:35 2011
severity=Information
login=N/A
eventsource=Microsoft-Windows-Security-Auditing
eventid=4672
msg="Special privileges assigned to new logon.
S-1-5-21-586564200-1406810015-1408784414-500 Account Name:
Administrator Account Domain: MOLDOVA Logon ID:
0xc39cb8e Privileges: SeSecurityPrivilege
SeBackupPrivilege SeRestorePrivilege
SeTakeOwnershipPrivilege SeDebugPrivilege
SeSystemEnvironmentPrivilege SeLoadDriverPrivilege
SeImpersonatePrivilege
Because it is difficult to anticipate exactly what these events look like, a useful approach to writing your regular expressions is to capture the actual events in a file. Then, you can examine the file, choose the events that you want the agent to capture, and write regular expressions to match these events. To capture all events from your Windows Event Log, use the following steps:
- Create a format file that contains only one pattern that does
not match anything, as shown in the following example:
REGEX NoMatch This doesn't match anything END
- Add the following setting to the configuration (.conf) file:
UnmatchLog=C:/temp/evlog.unmatch
- Run the agent and capture some sample events.