Czanik@BalaBit

Two weeks ago I promised some Windows patterns. They are now available for download from http://people.balabit.hu/czanik/patterndb-win2k8.xml Obviously it does not cover every single event from Win2k8, but many common events are included. They are not just recognized, but some useful information is also extracted from them.

For example one can easily see, why the computer was shut down, including the initiating process, user and computer name, shutdown type and the comment which was given on shutdown:

<pattern>@ESTRING:user::@ System USER32: [Information] The process @ESTRING:processname: has initiated@ the @ESTRING:action: of computer@ @ESTRING:computername: on behalf of@ user @ESTRING:username: for the following@ reason: @ESTRING:reason:
@ Reason Code: @ESTRING:reasoncode:
@ Shutdown Type: @ESTRING:shutdowntype:
@ Comment: @ESTRING:comment: (EventID@</pattern>

Windows eventlog to syslog conversion is not yet standardized. The side effect of this is, that all applications send the same events in a slightly different form. The current release is verified to work with Windows Agent for syslog-ng, which is a part of syslog-ng PE: http://www.balabit.com/network-security/syslog-ng/central-syslog-server/features/windows_eventlog We are working on converting it to a form that Snare users could also make use of these patterns.

Also please note, that these patterns work only with the English version of Windows 2k8, not the localized versions. As system administrators in non English speaking countries also tend to use English on servers, this should not affect the majority of users.

If you have any comments, suggestions, patches, etc., please let us know either as a comment below or on the syslog-ng mailing list.