This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Ingesting Windows logs into Chronicle

Posted on 01-15-2023 03:33 AM
Chris_B
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Anyone have a good experience ingesting Windows logs into Chronicle?
I’ve heard nxlogs , cribl, etc.
E.g. can Chronicle use cribl stream ? I see there’s “edge” and “stream” flavors of cribl?

0 7 678
Topic Labels
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
Tomtomfridman
Staff
Reply posted on --/--/---- --:-- AM

This comment was originally sent by Tom Fridman
Hi @Chris_B
Not sure if you are talking about SIEM or SOAR.
Either way, Both solutions require a middleware to collect all the windows logs. The ability to connect to all windows machines in an environment and individually pull logs from all of them is unfortunately not possible on both SOAR and SIEM.

SOAR is designed to pull alerts, not raw logs. Windows logs are usually forwarded to a SIEM (Middleware) that correlates the logs and generates correlation alerts. These alerts are then forwarded to SOAR.

On the SIEM side (Specifically Chronicle) it is possible to use NXLog as the middleware that collects all the windows logs and forward them to SIEM. It is documented here https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-events

Posted on --/--/---- --:-- AM
mccrilb
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

We use event collectors and NXLog.

Posted on --/--/---- --:-- AM
mccrilb
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

We only ingest Domain Controller logs. our endpoint information is from Crowdstrike.

0 Likes

Posted on --/--/---- --:-- AM
Pieter_Van
New Member
Reply posted on --/--/---- --:-- AM

We use windows event forwarding in combination with nxlog. That goes to logstash, where we split traffic (IIS,winevent,sysmon,sql) from that stream to different chronicle forwarders. It was quite the setup , but allows for fine-grained routing options

0 Likes

Posted on --/--/---- --:-- AM
Tonio
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello,

I am reopening this because I have some Windows servers (AD, DNS, DHCP) that needs to send logs to Chronicle Forwarder on-prem (docker on windows VM), and NXLog is not an option for us. 

We tried following this guide to setup subscriptions from the servers and a collector in the VM with the Forwarder, but still throubleshooting it.

More importanty, looking ahead, I miss to understand how to route the logs from the collector VM to the  Forworder itslef (and then to Chronicle SIEM).

Can anyone share any thoughts/solution on this? 

 

Many thanks

0 Likes

Posted on --/--/---- --:-- AM
nghtf
Bronze 1
Bronze 1
In response to Tonio
Reply posted on --/--/---- --:-- AM

Just curious why nxlog is not an option?

0 Likes

Posted on --/--/---- --:-- AM
Tonio
Bronze 3
Bronze 3
In response to nghtf
Reply posted on --/--/---- --:-- AM

That's just the customer request. I am kind of understanding that's the best way to go by a long shot, so I will try to push it.

Still, it would be good to know if there is a different way, as a general knowledge.

thanks

A

0 Likes
Top Solution Authors
View all