Skip to content

Correlating Windows Events

Sample Windows Event Correlation

LogZilla can be used with Simple Event Correlator SEC to supplement Windows event log messages for use in reporting and alerting.

Example Problem

The event log service is critical to maintaining awareness of operations performed on or by the system of interest. It would be desirable to track event log startup after event log shutdown in order to verify that any time window in which event logging is turned off is minimal. This example will verify that the event log service is restarted after no more than 10 seconds since shutdown.

LogZilla will receive the following events from the Windows Syslog Agent: LogZilla Windows Event Log events

Event message #1:

The Event log service was stopped.

Event message #2:

The Event log service was started.

Example Solution

This example will require a LogZilla Forwarder rule to output these messages to a file that SEC will be monitoring:

{
  "window_size": 1,
  "fast_forward_first": true,
  "forwarders": [
    {
      "match": {
        "value": "The Event log service was (stopped|started).",
        "op": "=~",
        "field": "message"
      },
      "type": "file",
      "target": "/var/log/logzilla/sec/simple.log",
      "rules": [
        {
         "match": {
           "value": "The Event log service was (stopped|started).",
           "op": "=~",
           "field": "message"
          },
          "rewrite": {
            "message": "$MESSAGE LZ_Originating_Host=\"$HOST\" LZ_Operation=\"$1\""
          }
        }
      ]
    }
  ]
}

Now with this forwarder rule the appropriate event messages, with the added information about the originating host, will be written by LogZilla to the simple.log file that SEC will monitor.

Then SEC should have a rule similar to the following:

#
# SEC rule for Windows event log shutdown / startup
#

type=PairWithWindow
ptype=RegExp
pattern=The Event log service was stopped. LZ_Originating_Host=\"([^"].)\"
desc=Event log service on $1 has been down for over 10 seconds.
action=pipe '%t: %s' /bin/mail opadmin@mail.company.com
ptype2=RegExp
pattern2=The Event log service was started. LZ_Originating_Host=\"([^"].)\"
desc2=Event log service on $1 successfully restarted within 10 seconds.
action2=logonly
window=10 

SEC will be executed with parameters to monitor the file simple.log (for example by specifying --input=/var/log/logzilla/sec/simple.log). Then when LogZilla writes the event log shutdown message to that file, SEC will see that new line in the file and an SEC operation will be created for that hostname. This operation will be watching for pattern2 to occur (in that same file) within the specified 10-second window.

If pattern2 is seen then the SEC operation performs action2, which specifies to merely log the paired operation, and removes that SEC operation. However if it is not seen then action (the first) will fire which will cause an email to be sent to opadmin@mail.company.com, with a descriptive message indicating the reason for the alert.

So in general LogZilla should be configured with a forwarder rule that will write events of interest, potentially with supplemental information, to a log file that SEC monitors. SEC then can be configured in any desired manner (that it allows) to handle and process these events that are forwarded by LogZilla. Note that, as in the example, this handling is enhanced due to the additional information that can be provided by the LogZilla Windows Syslog Agent and LogZilla, such as originating host, event severity, user-defined additional fields, and so on.