this post was submitted on 03 Jan 2024
6 points (87.5% liked)

cybersecurity

3155 readers
7 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
6
Windows Syslog Receiver (infosec.pub)
submitted 8 months ago by [email protected] to c/[email protected]
11 comments fedilink hide all child comments
 

Hey all, got a quick question!

I want to receive, parse and store syslogs from various devices on my home network on my windows box. I know, I know, its a bit backwards but I'd like to proceed with this sort of setup if possible (not against discussion, of course).

I've looked and looked for options but it seems like everything has been bare bones and basically just receives, or is locked behind premium. Surely there's some sort of solution out there, no? I'd be willing to implement something in Python if I need to but I'm considerably more hesitant when compared to using an open source soln.

Thanks for your time, looking forward to discussing/learning more!

all 12 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 8 months ago (1 children)

I would recommemd setting up greylog. It's pipelines are really mighty and not that hard to learn. You can run it in a VM.

If you really want to you can run filebeat on windows with a file output, so it will write everything in json format to a file. However you will still have to parse ot, make it searchable etc.

[–] [email protected] 1 points 8 months ago (1 children)

Yeah I’m familiar with filebeats and the ELK stack, set one of those up a long while ago to ingest Twitter from api before all that blew out a left kneecap haha.

I’ll check it out as well!

[–] [email protected] 2 points 8 months ago* (last edited 8 months ago) (1 children)

For the elk stack you can replace Logstash and Filebeat with Fluentbit and feed it directly to Elastic Search than use Kibana. I've found Logstash to be the resource hog and Fluentbit just runs a lot better imo.

Some docs:

https://docs.fluentbit.io/manual/pipeline/inputs/syslog

https://docs.fluentbit.io/manual/pipeline/outputs/elasticsearch

EDIT: All three of them can also be run in a docker or several depending on your needs and how you configure.

[–] [email protected] 2 points 8 months ago

Sweeet, thank you!

[–] [email protected] 2 points 8 months ago (1 children)

I don't know if an open source solution for windows, but I know of a really cool IDS solution that does syslog. It's going to be overkill, and there's a learning curve, but it's worth it if you're into this stuff.

Check out Security Onion 2.4

It's Linux, but the install is kindergarten easy. Just download ISO, pick standalone mode.

It has a web interface. The database is actually elastic search.

If you take the time to play with this thing, it will skill you up. It's a fully scalable IDS.

[–] [email protected] 2 points 8 months ago

Interesting! It rings a bell for sure, and I could really just access the web interface from the windows box as a work around for the soln implementation i'm targetting. Thank you!

[–] [email protected] 2 points 8 months ago* (last edited 8 months ago)

You might be better off using docker to run a Linux based logging system like rsyslogd or loki. Plenty of tutorials out there.

[–] [email protected] 1 points 8 months ago (1 children)

Just setup wazuh.

[–] [email protected] 1 points 7 months ago (1 children)

What’s that? How come you prefer that to other solutions? Sorry for the delayed response

[–] [email protected] 2 points 7 months ago

Its an open source SIEM with XDR and many rules for free. Its the son of ossec