Winevt-syslog forwards specific events (currently logon related events) as
syslog messages to syslog server.
It's written in Go language and uses a modified version of Liam Haworth's Windows events
and RackSec's Srslog.
Winevt-syslog first opens a connection to syslog server (udp or tcp), subscribes to Windows events and hibernates. When the subscribed event arrives, it wakes up, process received event in a callback and sends it to syslog server.
Currently, the following logon related events are intercepted:
- 4624 (Client) An account was successfully logged on.
- 4625 (Client) An account failed to log on.
- 4634 (Client) An account was logged off.
- 4647 (Client) User initiated logoff.
- 4648 (Client) A logon was attempted using explicit credentials.
- 4672 (Client) Special privileges assigned to new logon.
- 4768 (DC) A Kerberos authentication ticket (TGT) was requested.
- 4769 (DC) A Kerberos service ticket was requested.
- 4770 (DC) A Kerberos service ticket was renewed.
- 4771 (DC) Kerberos pre-authentication failed.
- 4776 (DC) The computer attempted to validate the credentials for an account.
- 4778 (Client) A session was reconnected to a Window Station.
- 4779 (Client) A session was disconnected from a Window Station.
- 4800 (Client) The workstation was locked.
- 4801 (Client) The workstation was unlocked.
To change this list, you have to change the query string in the program and recompile it.
$ go get -u $ go mod tidy -v $ go build
Before build you can use go-winres to generate resources (icon, version information) to be included in the final .exe:
$ go install github.com/tc-hib/go-winres@latest $ go-winres make $ go build
EventLog icon copyright © Microsoft.
Winevt-syslog can be run from command line or as a service. Possible command line options for both are:
$ winevt-syslog.exe
Usage of winevt-syslog.exe:
-host string
Syslog host name (default "127.0.0.1")
-proto string
Syslog protocol [udp, tcp] (default "udp")
-port string
Syslog host port (default "514")
-header string
Syslog header [rfc1364, rfc5424, unix, default] (default "rfc3164")
-format string
Syslog format [leef, cef] (default "leef")
$ winevt-syslog.exe 2022/02/03 14:06:51.360360 Starting winevt-syslog v1.2.2 2022/02/03 14:06:51.360360 Connecting to syslog udp://127.0.0.1:514 2022/02/03 14:06:51.361900 Subscribing to windows events
To run winevt-syslog.exe as a service, you have to use additional program
Windows Service Wrapper, which is available on https://github.com/winsw/winsw .
Download the latest version of WinSW*.exe, rename it as winevt-service.exe and
copy it to this directory.
Winevt-service.exe needs configuration file winevt-service.xml (sample already
supplied), where you specify command line and other parameters for Winevt Syslog
program/service.
Winevt Syslog service needs to be installed first and then started:
$ winevt-service install $ winevt-service start
Other commands: status, restart, stop, uninstall, ...
Winevt Syslog service is currently configured (see winevt-service.xml) to
store output from winevt-syslog.exe in local files winevt-service.out.log
and winevt-service.err.log, which are rotated, if they grow too big.
Syslog servers expect syslog messages in format:
<syslog_header><syslog_message>
Syslog header can be in one of the following formats:
-
RFC1364
<prio>timestamp hostname tag[pid]: message
Timestamp looks like this: Mmm dd HH:MM:SS
Example:
<38>Jan 31 14:41:09 chihuahua winevt-syslog[17356]: CEF:0|... -
RFC5424
<prio>1 timeRFC3339 hostname appname pid tag - message
Time in RFC3339 (ISO 8601) format looks like this: YYYY-MM-DDTHH:MM:SS+HH:MM
Example:
<38>1 2022-01-31T14:41:09+01:00 chihuahua winevt-syslog.exe 17356 winevt-syslog - CEF:0|... -
Unix
<prio>timestamp tag[pid]: message
Example:
<38>Jan 31 14:41:09 winevt-syslog[17356]: CEF:0|... -
Default
<prio> timeRFC3339 hostname tag[pid]: message
Example:
<38> 2022-01-31T14:41:09+01:00 chihuahua winevt-syslog[17356]: CEF:0|...
Syslog message can be in one of the following formats:
-
CEF
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|Extension [msg=...]
Version is always 0.
Extension has the following format:
key=value<tab>key=value<tab>key=value<tab>key=value...
Example:
CEF:0|Microsoft|Events|1.0|CL Logon|Logon using explicit credentials|2|Event=4648 SubjectUserSid=S-1-5-18 ... -
LEEF
LEEF:Version|Vendor|Product|Version|EventID|Extension [msg=...]
Version can be 1.0 or 2.0, but since the only difference is delimiter character, we use only version 1.0, where the delimiter character is <tab>.
Extension has the following format:
key=value<tab>key=value<tab>key=value<tab>key=value...
Example:
LEEF:1.0|Microsoft|Events|1.0|CL Logon|Event=4648 SubjectUserSid=S-1-5-18 ...
- Microsoft Event Schema (Microsoft)
- Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference (Microsoft)
- Windows 7 and Windows Server 2008 R2 Security Event Descriptions (Microsoft)
- Windows Event Log Analysis (Forward Defense)
- Common Event Format (CEF) Rev. 16 (ArcSight)
- Log Event Extended Format (LEEF) (IBM QRadar)