GhettoSIEM

An essential part of using a SIEM is getting the logs from all nodes. This is a simple feat when dealing with Unix or Cisco IOS. But for the dreaded windows os, it becomes a slight challenge.

I am running a Windows 2003 Server with IIS 6.0 and Exchange Enterprise 2007. Also a Windows XP client. Both which I need all of the event and service logs centralized.

My solution:

Windows Event Logs: NTSyslog2 (Eventlog to syslog forwarder)

Exchange Logs: I used the Exchange Management Shell to set all log types to ‘Expert’ level which then sends the detailed event to the windows event logs, and then forwards to syslog server.

IIS Logs: After configuring IIS to store logs in W3SVC as a single non-rotated file, I wrote this simple script to tail the file and then forward each entry as a syslog event.