Windows Logs
You can get the following Windows products’ logs into Logpoint:
Windows Server
Windows Vista
Windows DNS Server
Windows DHCP Server
Windows Server HyperV
Windows Server R2 HyperV
Log Ingestion
Before using LogpointSIEM to analyze Windows logs and respond to Windows Log Events, you need to get the logs into Logpoint or ingest them.
Windows events can generate a potentially massive number of logs, not all are relevant for SIEM monitoring and analysis. Before you start, go to Log Collection and Event Channels to learn more.
To ingest logs, follow these high-level steps:
Configure DHCP and DNS servers
DHCP log records DHCP Server actions, detailing IP address assignments and configurations for client devices (assignment time, IP/MAC, lease duration). You can analyze DHCP logs through the LP_Windows DHCP dashboard.
DNS logs document queries and responses (query time, domain requested, client IP). You can analyze DNS logs through the LP_Windows DNS dashboard.
Forward logs
After enabling and receiving DHCP and DNS logs in the file path you designated, you must configure NXLog to forward logs to Logpoint.
Post-install tasks
Normalize the logs.
Check Normalized Keys-Value Pairs / Vendor Field Mapping.
Confirm your ingested logs using the example log files.
Setup your Use Cases, analytics, Search Templates and Alerts.
For Alerts to work, configure Sysmon.
Download and Install Integration
Go to the Marketplace
Find the Integration and download the .pak file.
Go to Settings >> System Settings from the navigation bar and click Applications.
Click Import.
Browse to the downloaded .pak file and click Upload.
After installing, you can find it under Settings >> System Settings >> Plugins.
Configuring DHCP server
Go to Start >> Server Manager and click Tools.
Click DHCP to open the DHCP management console.
Right click the DHCP server drop-down (your server is listed here).
If you don’t have a green check mark next to the IPv4 and IPv6 protocol name:
Right click the DHCP server and click Authorize.
Right click IPv4 and click Properties.
In General, select Enable DHCP audit logging.
To change the default path for logs: Click Advanced, Browse to your Audit log file path or enter the path (the file path is required for Logpoint Agent File Collection), then click OK.
Enable DHCP Admin and Operational Logging:
Note the Full Name of the event channel (required when configuring Logpoint Agent).
Open Event Viewer → Applications and Services Logs → Microsoft → Windows → DHCP-Server.
For DHCP Admin logs: right click Microsoft-Windows-DHCP Server Events/Admin → Properties → General → Enable logging → Apply → OK.
For DHCP Operational logs: right click Microsoft-Windows-DHCP Server Events/Operational → Properties → General → Enable logging → Apply → OK.
Configuring DNS server
Go to Start >> Server Manager and click Tools.
Click DNS.
Right click the DNS server name and click Properties.
In Debug Logging, select Log packets for debugging.
Enter your File path and name to save the logs (example: C:\logpoint), click Apply, then OK.
Important: The Log Path is required while configuring NXLog.
Enable DNS Audit Logging:
Open Event Viewer → Applications and Services Logs → Microsoft → Windows → DNS-Server → right click Audit → Properties → General → Enable logging → Apply → OK.
Note the Full Name of the event channel (required when configuring Logpoint Agent).
Ensure the File path provided in the NXLog Sample Configuration is the same you entered for DHCP and DNS Audit Logging.
Use Log Source Template to ingest Windows Logs
You must create a log source using the log source template to receive the normalized Windows logs.
Use a Device to Ingest Windows Logs
To configure your log source through a device, there are 6 steps (high level):
Configure a Repo
Add a Normalization Policy
Configure a Processing Policy
Add Windows as a device
Add an Agent
Configure the Syslog Collector
Configuring a Repo for Windows
Go to Settings >> Configuration and click Repos.
Click Add.
Enter a Repo Name and select a Repo Path to store incoming logs.
Set a Retention Day to keep logs before automatic deletion.
In Availability, select Remote logpoint (creates a copy in Remote Logpoint). Set Available for (Day) for how long the copy is a high-availability repo.
You can add/remove multiple Repo Path and Retention Day entries.
Click Submit.
Normalize the Logs
Normalization Policies combine one or more Compiled Normalizers with Normalization Packages. It is recommended to create different normalization policies for similar normalizers.
Example: For an MS Windows 2008 server running MS-SQL 2005, create a normalization policy consisting of normalization packages for Windows 2008 and MS-SQL 2005.
You can choose more than one normalizer. Add the most commonly used normalizer at the top of the list so Logpoint does not iterate through unnecessary ones.
Compiled Normalizers (notes):
For almost all compiled normalizers, Logpoint interprets the date format.
DNSCompiledNormalizer supports ISO (YYYY/MM/DD) and European (DD/MM/YYYY) formats. Before using DNSCompiledNormalizer, install and configure CNDP to select the relevant date format: https://docs.logpoint.com/docs/cndp/en/latest/Installing%20CNDP.html#installing-cndp
List of compiled normalizers referenced:
ADFSNormalizer
DNSCompiledNormalizer
LPA_Windows
WindowsDHCPCompiledNormalizer
WindowsNPSCompiledNormalizer
WindowsSecurityAuditing
WindowsSysmonCompiledNormalizer
Normalization Packages referenced:
LP_DNS BIND
LP_Microsoft Antimalware
LP_Microsoft Direct Access
LP_Windows Firewall
The order of Windows normalizers and packages is important for log ingestion.
Adding Normalizers
Go to Settings >> Configuration and click Normalization Policies.
Click Add.
Enter a Policy Name.
Select the Compiled Normalizers and Normalization Packages applicable for Windows.
LPA_Windows is a generic compiled normalizer and must be selected last.
Click Submit.
Configure a Processing Policy
A processing policy combines normalization, enrichment and routing policies into a single policy that is then assigned to a device.
Go to Settings >> Configuration and click Processing Policies.
Click Add.
Enter a Policy Name.
Select the previously created Normalization Policy.
Select the Enrichment Policy.
Select the Routing Policy.
Click Submit.
Adding Windows as a Device in Logpoint
Go to Settings >> Configuration and click Devices.
Click Add.
Enter a device Name and the Windows server IP address(es).
Select the Device Groups and an appropriate Log Collection Policy for the logs.
Select a collector or a forwarder from the Distributed Collector drop-down (optional).
Select a Time Zone. The timezone of the device must be same as its log source.
Configure Risk Values for Confidentiality, Integrity and Availability (used to calculate risk levels of alerts from the device).
Click Submit.
Install an Agent
If you are using a device to ingest Windows logs, install either of the following agents and add templates relevant to Windows event channels:
Configuring AgentX for Windows
DHCP and DNS servers record events in Windows Event Logs under event log channels like DHCP-Server and DNS-Server. You can find these channels in Event Viewer. Select the required channels in AgentX to define event logs to collect.
Go to Settings >> Configuration and click AgentX.
Configure a template (see Templates for how to add a template). Note the template name for later configuration.
File Collection, File Integrity Scanner and Windows Registry Scanner event channels are optional.
After saving the template: 3. Go to Settings >> Configuration >> Devices. 4. Click Add collectors/fetchers from Actions of the Windows Device. 5. Click AgentX. 6. Select utf_8 as Charset. 7. Select the previously created Processing Policy. 8. Select the recently created Template. 9. Click Submit.
Logpoint Agent Collector for Windows
Go to Settings >> System Settings and click Plugins.
Search for LogPoint Agent Powered by NxLog and click Manage.
Configure a template (see Templates for how to add a template). Note the template name for later configuration.
File Collection, File Integrity Scanner and Windows Registry Scanner are optional.
After saving the template:
Go to Settings >> Configuration >> Devices.
Click Add collectors/fetchers from Actions of the Windows device.
Click LogPoint Agent Powered by NxLog.
Select utf_8 as Charset.
Select the previously created Processing Policy.
Select the recently created Template.
Click Submit.
Configuring the Syslog Collector
Go to Settings >> Configuration >> Devices.
Click the Add icon from Actions of the previously added device.
Click Syslog Collector (you can select a different collector depending on requirements).
Select Syslog Parser as Parser.
Select the previously created Processing Policy.
Select the Charset.
In Proxy Server, select None.
Click Submit.
Normalized Keys-Value Pairs / Vendor Field Mapping
When normalizing Windows log messages, Logpoint normalizers identify essential patterns and create key/value pairs for each component. Key Value Pairs for Windows depend on the Event ID.
Microsoft-Windows-Security-Auditing
Event ID: 4608
Category
event_category
ProcessID
process_id
Severity
log_level
Hostname
host
Version
version
ThreadID
thread_id
Channel
channel
SourceModuleType
source_module_type
SourceName
event_source
EventType
event_type
SourceModuleName
source_module
ProviderGuid
guid
EventTime
log_ts
Task
event_task
OpcodeValue
opcode_value
Opcode
opcode
EventID
event_id
Keywords
keyword
SeverityValue
severity
Message
message
RecordNumber
record
EventReceivedTime
event_ts
Event ID: 4610
Category
event_category
ProcessID
process_id
Severity
log_level
Hostname
host
Version
version
ThreadID
thread_id
Channel
channel
SourceModuleType
source_module_type
SourceName
event_source
EventType
event_type
SourceModuleName
source_module
ProviderGuid
guid
EventTime
log_ts
Task
event_task
OpcodeValue
opcode_value
Opcode
opcode
EventID
event_id
AuthenticationPackageName
package
Keywords
keyword
SeverityValue
severity
Message
message
RecordNumber
record
EventReceivedTime
event_ts
Event ID: 4611
Category
event_category
ProcessID
process_id
Severity
log_level
Hostname
host
SubjectUserName
user
Version
version
ThreadID
thread_id
Channel
channel
SourceModuleType
source_module_type
SourceName
event_source
EventType
event_type
SourceModuleName
source_module
SubjectLogonId
logon_id
ProviderGuid
guid
EventTime
log_ts
Task
event_task
OpcodeValue
opcode_value
LogonProcessName
process
Opcode
opcode
SeverityValue
severity
EventID
event_id
SubjectDomainName
domain
Keywords
keyword
SubjectUserSid
user_id
Message
message
RecordNumber
record
EventReceivedTime
event_ts
Event ID: 4614
Category
event_category
ProcessID
process_id
Severity
log_level
Hostname
host
Version
version
ThreadID
thread_id
Channel
channel
SourceModuleType
source_module_type
SourceName
event_source
EventType
event_type
SourceModuleName
source_module
NotificationPackageName
package
ProviderGuid
guid
EventTime
log_ts
Task
event_task
OpcodeValue
opcode_value
Opcode
opcode
EventID
event_id
Keywords
keyword
SeverityValue
severity
Message
message
RecordNumber
record
EventReceivedTime
event_ts
ASP.NET
Event ID: 1309
Data
event_code
Data_1
message
Data_2
exception_ts
Data_3
exception_utc_ts
Data_4
event_uid
Data_5
event_sequence
Data_6
event_count
Data_7
detail_code
Data_8
application_domain
Data_9
trust
Data_10
application_virtual_path
Data_11
path
Data_12
workstation
Data_13
process_id
Data_14
process
Data_16
exception_class
Data_17
exception_message
Data_18
url
Data_19
request_path
Microsoft Windows
Event ID: 1008
param1
service
param2
file
binaryData
data
binaryDataSize
datasize
Expected Log Samples
If you want to confirm what a log looks like, use the expected Log Samples. The Log Sample is based on which product.
Windows BITS (JSON sample)
<14>Jul 7 11:01:49 ABC.local Microsoft-Windows-Bits-Client[2044]: {"EventTime":"2021-07-07T11:01:49.883794+05:45","Hostname":"ABC.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,
Windows ADFS (JSON sample)
<14>Feb 21 09:10:37 ABC AD_FS_Auditing: {"EventTime":"2019-02-21 09:10:37","Hostname":"ABC","Keywords":-xxxxxxxxxxxxxxxxxxxx,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":410,"SourceName":"AD FS Auditing","Task":3,"RecordNumber":xxxxxxxx,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Security","Domain":"ABC","AccountName":"xxx-ADFS","UserID":"x-x-x-xx-xxxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx","AccountType":"User","Message":"Following request context headers present : \r\n\r\nActivity ID: 00000000-0000-0000-xx00-00800x0000xx \r\n\r\nX-MS-Client-Application: - \r\nX-MS-Client-User-Agent: - \r\nclient-request-id: - \r\nX-MS-Endpoint-Absolute-Path: /adfs/ls/idpInitiatedxxxxxx.aspx \r\nX-MS-Forwarded-Client-IP: - \r\nX-MS-Proxy: -","Opcode":"Info","EventData":"00000000-0000-0000-xx00-00800x0000xxX-MS-Client-Application-X-MS-Client-User-Agent-client-request-id-X-MS-Endpoint-Absolute-Path/adfs/ls/idpInitiatedxxxxxx.aspxX-MS-Forwarded-Client-IP-X-MS-Proxy-","EventReceivedTime":"2019-02-21 09:10:38","SourceModuleName":"wineventlog_in","SourceModuleType":"im_msvistalog"}
Windows DNS (SNARE sample)
<13>Oct 17 10:37:46 XYZ 17-10-2018 10:37:19 1460 PACKET 000000xxxxxxxxxx UDP Rcv xxx.xxx.x.x 7cf7 Q [0001 D NOERROR] A (10)XYZ(2)u1(2)logpoint(2)xx(0)
Windows DHCP (JSON sample)
<13>May 29 20:24:08 WIN-xxxxxxxxxxxx DHCPEvents: {"EventReceivedTime":"2019-05-29 20:24:08","SourceModuleName":"in_dhcp","SourceModuleType":"im_file","EventID":"31","Date":"05/29/19","Time":"20:24:08","Description":"DNS Update Failed","IPAddress":"xxx.xxx.xx.xx","ReportedHostname":"WIN-xxxxxxxxxxxx.logpoint.local","TransactionID":"0","QResult":"6","DnsRegError":"xxxx","EventTime":"2019-05-29 20:24:08","SourceName":"xxxxxxxxxx"}
Windows Security Auditing (JSON sample)
<11>Mar 16 09:36:01 logpoint.com Microsoft-Windows-Security-Auditing[4]: {"EventTime":"2018-03-16 09:36:01","Hostname":"logpoint.com","Keywords":-xxxxxxxxxxxxxxxxxxx,"EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":5038,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}","Version":0,"Task":12290,"OpcodeValue":0,"RecordNumber":xxxxxxxxxxxxx,"ProcessID":4,"ThreadID":76,"Channel":"Security","Message":"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\r\n\r\nFile Name:\t\Device\HarddiskVolume1\Windows\System32\drivers\nsrbbb.sys\t","Category":"System Integrity","Opcode":"Info","param1":"\Device\HarddiskVolume1\Windows\System32\drivers\nsrbbb.sys","EventReceivedTime":"2018-03-16 09:36:02","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}
We do our best to ensure the content provided is complete, accurate and up to date. Logpoint makes no representations or warranties of any kind, express or implied about the documentation. We update it on a best-effort basis.
Last updated
Was this helpful?