Correlating Windows Events
Sample Windows Event Correlation
LogZilla can be used with Simple Event Correlator SEC to supplement Windows event log messages for use in reporting and alerting.
Example Problem
The event log service is critical to maintaining awareness of operations performed on or by the system of interest. It would be desirable to track event log startup after event log shutdown in order to verify that any time window in which event logging is turned off is minimal. This example will verify that the event log service is restarted after no more than 10 seconds since shutdown.
LogZilla will receive the following events from the Windows Syslog Agent:
Event message #1:
Event message #2:
Example Solution
This example will require a LogZilla Forwarder rule to output these messages to a file that SEC will be monitoring:
window_size: 1
fast_forward_first: true
forwarders:
- match:
value: The Event log service was (stopped|started).
op: "=~"
field: message
type: file
target: "/var/log/logzilla/sec/simple.log"
rules:
- match:
value: The Event log service was (stopped|started).
op: "=~"
field: message
rewrite:
message: $MESSAGE LZ_Originating_Host="$HOST" LZ_Operation="$1"
Now with this forwarder rule the appropriate event messages, with the added information about the originating host, will be written by LogZilla to the simple.log
file that SEC will monitor.
Then SEC should have a rule similar to the following:
#
# SEC rule for Windows event log shutdown / startup
#
type=PairWithWindow
ptype=RegExp
pattern=The Event log service was stopped. LZ_Originating_Host=\"([^"].)\"
desc=Event log service on $1 has been down for over 10 seconds.
action=pipe '%t: %s' /bin/mail [email protected]
ptype2=RegExp
pattern2=The Event log service was started. LZ_Originating_Host=\"([^"].)\"
desc2=Event log service on $1 successfully restarted within 10 seconds.
action2=logonly
window=10
SEC will be executed with parameters to monitor the file simple.log
(for example by specifying --input=/var/log/logzilla/sec/simple.log
). Then
when LogZilla writes the event log shutdown message to that file, SEC will see that new line in the file and an SEC operation will be created for that hostname. This operation will be watching for pattern2
to occur (in that same file) within the specified 10-second window.
If pattern2
is seen then the SEC operation performs action2
, which specifies to merely log the paired operation, and removes that SEC operation. However if it is not seen then action
(the first) will fire which will cause an email to be sent to [email protected], with a descriptive message indicating the reason for the alert.
So in general LogZilla should be configured with a forwarder rule that will write events of interest, potentially with supplemental information, to a log file that SEC monitors. SEC then can be configured in any desired manner (that it allows) to handle and process these events that are forwarded by LogZilla. Note that, as in the example, this handling is enhanced due to the additional information that can be provided by the LogZilla Windows Syslog Agent and LogZilla, such as originating host, event severity, user-defined additional fields, and so on.