The last time we discussed Splunk, we set up our server to accept syslog feeds. Now that we have that out of the way, it’s time to start sending some feeds to our Splunk server. Seeing as how Windows is probably the only system we have that doesn’t support syslog out of the box, this post will introduce you to Snare, an open source agent that can take Windows event logs, and output them as a syslog feed. We’ll install it, configure it to use the syslog protocol to send data to Snare, and let it configure the initial audit settings on our Windows boxes.
Before we begin, let me set some security goon /// err, professional’s mind at ease. We will NOT be changing the event logs in any way. They will still be stored in evt format on our Windows host. If you figured out my position in the last post, I like nice binary formats that support authentication. The plan here is that if Splunk calls something to our attention, we can look at the server itself and all our Windows skills will apply unchanged, and our event logs will be there. Relax, it’s cool. You’re going to love this.
To begin, we need to download the agent from the Intersect Alliance website. Pay attention when you do…Windows 2003 and XP want the Snare for Windows agent. Windows Vista, 7, and 2008 want the Snare for Windows Vista agent. The install is fairly straight-forward for the first three nexts, then you get to a decision point.
Snare can configure your event log settings to match a profile you select during install, or it can leave well enough alone. If you have a domain GPO controlling auditing, or a company policy defining audit settings, click No and then Next. However, if you are just getting into this logging, thing, click Yes, and then Next. That’s what we’re doing for this demo. Don’t worry, GPO settings should override local settings, so if things change from a company policy later, you won’t be stuck.
Here we have to decide how to control the configuration of Snare. If you want to access Snare’s configuration on a server remotely using a web browser, you can do so here (ala http://fqdn:6161.) Personally, I opt for the local access only option since connecting over the network prompts for a password only. To access locally, you still have to have admin rights to the box.
Choices all made, click Install to finish the process. Once that is done, you can access the Snare configuration page from the shortcut on the Start Menu, or just open your browser to http://localhost:6161.
The webpage shows you the version installed, and that it is active.
We want to jump right into Network Configuration. This is where we’ll configure Snare to talk to our Splunk server. See the screenshot, with explanations below.
Override detected DNS Name with: you only need to configure this if you want the name in the syslog feed to be something other than that to which the hostname in DNS resolves.
Destination Snare Server address: The FQDN of your Splunk server.
Destination Port: The port Splunk listens to for syslog. If you followed the previous post, this should be 514.
Perform a scan of ALL objectives, and display the maximum criticality: Based on the settings in Objectives Configuration, this will report to you what Snare is going to audit.
Allow SNARE to automatically set audit configuration: As we discussed earlier, leaving this checked allows Snare to capture all the events considered important. Review those in Objectives Configuration, adjust them as you see fit, or control auditing through a GPO.
Export Snare Log data to a file?: Since we’re still writing event logs, checking this is redundant.
Enable active USB auditing?: With this checked, we should pick up any USB devices (like drives) connected to or removed from the system.
Enable SYSLOG Header: Check this, so that the Snare feed includes a syslog header for Splunk to digest. This will contain the hostname and a timestamp.
SYSLOG Facility: Defined in RFC3164, leave this at User unless you have a company policy defining a different facility.
SYLOG Priority: Also defined in RFC3164, leave this at Notice unless you have a company policy defining a different facility.
Configure your Snare agent as desired, and then click “Change Configuration.” There is one more step you must complete before you will see syslog messages going to Splunk.
Restarting the snare service reads the configuration in. If you are sniffing the wire, you should start to see syslog messages after you restart the service. 
We are now full of win!
This should be enough to get you started. In an upcoming post, we’ll talk about the actual events that Snare collects by default, what they mean to you, and how to modify them.
You might also enjoy:
{ 2 comments… read them below or add one }
Why would you convert everything to syslog when you can just use the Splunk light forwarder to forward the event logs and have them indexed nicely? Think PCI and HIPPA compliant log aggregation and event signing.
Hi Felix,
You make a great point, thanks for the comment. If the foot print is the same or less on the server that would be much better, and something I will have to look into. Snare has been around a while, and the client orgs I’ve seen using it were already comfortable with syslog, so it seemed to be a natural progression, but the splunk> forwarder does make for a better solution and can grab a lot more from the server than just event logs. I guess we all know what I’ll be trying next!
Cheers,
Ed