Ms Windows

LogZilla App Store application: Ms Windows

Overview

Microsoft Windows is a desktop and server operating system. Various services and programs running on Windows produce log events. These log events are maintained at the system level, organized by event log category and source program.

The LogZilla Windows Syslog Agent is a Windows service developed by LogZilla Corp that reads Windows log events from the local system and forwards them to the LogZilla server for recording and processing. Agent version 2.0.0.0 or greater is required. The most recent version is available on the LogZilla "extras" GitHub repository.

App Function

The MS Windows app processes core Windows event fields but does not create user tags for all available data elements by default. While the LogZilla Windows Syslog Agent conveys all data elements associated with Windows events, the extensive variety of possible data elements makes it impractical to process all fields automatically.

Organizations may find value in the additional data elements for specific use cases. Custom user tags or rules can be created to process these additional data elements subsequent to the main app execution. Contact LogZilla support for assistance with custom processing requirements.

Vendor Documentation

Incoming Log Format

Windows events use a native event log format, but for LogZilla integration, the Windows Syslog Agent converts events into JSON format that contains the important data associated with each event. Examples of both formats are provided below.

Example Logs

Raw Log Message Text

Windows Event Message

Raw Data Elements

Windows Event Raw Data

XML Data View

Windows Event XML Data

JSON Format

The following example shows the JSON message format that the Windows Syslog Agent produces and sends to the LogZilla server. This is the data format that the MS Windows app receives and processes:

text
{
  "_source_type": "WindowsAgent",
  "_log_type": "eventlog",
  "host": "AMBxxxxx",
  "program": "Microsoft-Windows-Security-Auditing",
  "event_id": "5379",
  "event_log": "System",
  "severity": 5,
  "facility": 20,
  "message": "EventID=\"5379\" EventLog=\"System\"\r\nCredential Manager credentials were read.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tAMBxxxx$\r\n\tAccount Domain:\t\tAARONxxxx\r\n\tLogon ID:\t\t0x3E7\r\n\tRead Operation:\t\tEnumerate Credentials\r\n\r\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.",
  "SubjectUserSid": "S-1-5-18",
  "SubjectUserName": "AMBxxxx$",
  "SubjectDomainName": "AARONxxxx",
  "SubjectLogonId": "0x3e7",
  "TargetName": "WindowsLive:(cert):name=02lxtgtzzmbeitpx;serviceuri=*",
  "Type": "0",
  "CountOfCredentialsReturned": "0",
  "ReadOperation": "%%8100",
  "ReturnCode": "3221226021",
  "ProcessCreationTime": "2022-04-10T02:09:44.7934892Z",
  "ClientProcessId": "9744"
}

Certain fields (such as program, event_id, and severity) are always included in the JSON event data. Other fields (such as SubjectUserSid, TargetName, and ReadOperation) are specific data elements associated with this particular Windows event type (corresponding to the event ID). All data fields are available to LogZilla for processing and analysis.

Ms Windows | LogZilla Documentation