Highlighted
s.wieseler@tele Absent Member.
Absent Member.
448 views

Windows Server logs via Evtsys to ArcSight syslog connector

Hello community,

After reading some posts about how to get Windows event logs to ArcSight syslog connector, I got the feeling that it could be parsed correctly.

At the moment the vendor is mostly recognized as "Unix" and the whole event is in the name field.

So at the moment I am trying to write a lot of flex connectors to get around the issue and to have some at least normalized events.

But does anybody here has got experiences with Evtsys (https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys) as the tool to get the Windows Event Log into our syslog smart connector?

Thanks in advanced!

   Sebastian

0 Likes
Reply
4 Replies
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Windows Server logs via Evtsys to ArcSight syslog connector

I have never used this one but snare works very well and does the same job.

0 Likes
Reply
Absent Member.. Dean Farrington Absent Member..
Absent Member..

Re: Windows Server logs via Evtsys to ArcSight syslog connector

I used evtsys for a while a few years ago to capture data from one windows host and put it into our syslog repository. It worked acceptably, but we later switched to snare to have more configuration options. I can't remember if it parsed as Unix (since the data is syslog) or Windows. Snare parsed in a way that you definitely knew the source.

That host has been decommissioned, so i can't go back and look now to see which way the events were reporting.

HTH

Dean

0 Likes
Reply
rockeyliau Absent Member.
Absent Member.

Re: Windows Server logs via Evtsys to ArcSight syslog connector

i am trying to use Evtsys, too

could you share the flex connector ?

Rockey

0 Likes
Reply
s.wieseler@tele Absent Member.
Absent Member.

Re: Windows Server logs via Evtsys to ArcSight syslog connector

Actually I only wrote flex connectors for a very few messages like "An account was successfully logged on" or "A logon was attempted using explicit credentials". But not a whole bunch of Windows log messages. 😕

Which is quite disappointing and I would really recommend to use snare. If not you will always end up in having a message which is not correctly parsed and useless then. 😕

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.