Correlating Windows Events
Sample Windows Event Correlation
LogZilla can be used with Simple Event Correlator SEC to supplement Windows event log messages for use in reporting and alerting.
The event log service is critical to maintaining awareness of operations performed on or by the system of interest. It would be desirable to track event log startup after event log shutdown in order to verify that any time window in which event logging is turned off is minimal. This example will verify that the event log service is restarted after no more than 10 seconds since shutdown.
Event message #1:
Event message #2:
This example will require a LogZilla Forwarder rule to output these messages to a file that SEC will be monitoring:
window_size: 1 fast_forward_first: true forwarders: - match: value: The Event log service was (stopped|started). op: "=~" field: message type: file target: "/var/log/logzilla/sec/simple.log" rules: - match: value: The Event log service was (stopped|started). op: "=~" field: message rewrite: message: $MESSAGE LZ_Originating_Host="$HOST" LZ_Operation="$1"
Now with this forwarder rule the appropriate event messages, with the added information about the originating host, will be written by LogZilla to the
simple.log file that SEC will monitor.
Then SEC should have a rule similar to the following:
# # SEC rule for Windows event log shutdown / startup # type=PairWithWindow ptype=RegExp pattern=The Event log service was stopped. LZ_Originating_Host=\"([^"].)\" desc=Event log service on $1 has been down for over 10 seconds. action=pipe '%t: %s' /bin/mail [email protected] ptype2=RegExp pattern2=The Event log service was started. LZ_Originating_Host=\"([^"].)\" desc2=Event log service on $1 successfully restarted within 10 seconds. action2=logonly window=10
SEC will be executed with parameters to monitor the file
simple.log (for example by specifying
when LogZilla writes the event log shutdown message to that file, SEC will see that new line in the file and an SEC operation will be created for that hostname. This operation will be watching for
pattern2 to occur (in that same file) within the specified 10-second window.
pattern2 is seen then the SEC operation performs
action2, which specifies to merely log the paired operation, and removes that SEC operation. However if it is not seen then
action (the first) will fire which will cause an email to be sent to [email protected], with a descriptive message indicating the reason for the alert.
So in general LogZilla should be configured with a forwarder rule that will write events of interest, potentially with supplemental information, to a log file that SEC monitors. SEC then can be configured in any desired manner (that it allows) to handle and process these events that are forwarded by LogZilla. Note that, as in the example, this handling is enhanced due to the additional information that can be provided by the LogZilla Windows Syslog Agent and LogZilla, such as originating host, event severity, user-defined additional fields, and so on.