Best Windows syslog agent for Active Directory env?

Hi there

We have currently been running snare for years and just noticed it isn’t “translating” a tonne of AD-specific identifiers in EventLogs any more. ie if someone logs in/out of an AD account, we get a nice “english” syslog record stating that, but if someone changes (eg) AD group membership, we get things like this instead of the “english” statements you’d see if you viewed the event through EventLog

Object: Object Server: DS Object Type: %{bf967a9c-0de6-11d0-a285-00aa003049e2} Object Name: %{d7cb26ca-1f06-4d…"

(I say “english” in quotes because I assume what is happening is there is some form of localization going on, so Microsoft records “39rijfkewd” as an identifier, and then there’s a mapping table of that id to each language string - like gettext does - better :wink:

I have tested with a newer snare, with NXlog (community AND EE), and with a couple of others and none of them can merge the missing details into syslog. I’m beginning to wonder if this is working for anyone - has anyone out there got a working syslog “gateway service” for EventLogs that is able to merge plain text back into all their EventLog messages?

BTW I am looking for syslog - not GELF. We have centralized syslog and then feed the central server into graylog - I don’t want Windows bypassing syslog via GELF/etc - it would ruins all sorts of monitoring we do outside of graylog.



This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.