Configure Windows for Syslog Using Snare

Windows Syslog Server Configuration

There are a lot of things that Microsoft does right, however one that they have not yet seem to master is an effective centralized logging solution. In this video we are going to cover centralized log management using the standard syslog protocol, and in the open source syslog format Snare. Snare is a piece of open source software by a company called Intersect Alliance. Intersect Alliance has an open source client for Microsoft Windows platforms, and an open source server to allow the central collection of Windows event logs in your environment. There installation process is very simple and can be accomplished in about 2 to 3 min. per host.

Links to Software

• Snare / Intersect Alliance website: http://www.intersectalliance.com
• Snare Epilog Windows Client: download windows syslog client here
• Snare Backlog Syslog Server for Windows: download windows syslog server here
• Snare documentation page: download documentation in PDF format

There will be two pieces of software that you will need to download in order to complete this. The first piece of software that you will need is called Snare Epilog Windows client. The download location is listed above. The second piece of software you will need is the Snare Backlog syslog server for Windows, the link is also listed above.

First we will cover the backlog server installation. The backlog server installs like any other software you can leave all of the options as their defaults. If you would like a step-by-step guide on how to install the server portion please refer to the video. Once the backlog server is installed you will need to modify your Windows firewall to allow connections. In order to get to this menu selector start menu, administrative tools, and Windows firewall and event security. When the Windows firewall interface comes up right-click the inbound rules option and select new rule. For the rule type select port, on the next screen select UDP, for the select local port option enter import 514, under the what action should be taken section select the allow the connection, under the when does this rule apply section we are using all of our available interfaces. On the last screen you will give this rule a name that you feel appropriate and select finish.

There is one option that you will need to keep an eye out for in the client installation portion. As you’re going to the client installation make sure that you select yes you get to the screen that states: “do you want snare to take over control of your event log configuration?” If you do not select yes at this option any configuration options that are pushed down via group policy will override snare’s ability to manage your event logs. You have the option to create a local account to run the snare service that will be installed or you can run the snare service using the local system account. Lastly when you get to the screen that is labeled “remote control interface”, I would recommend that you enable web access, that you do require a password, and that you limit access to local only. This will serve to lock down access to the configuration options for your snare client. Repeat this process on as many clients as you would like to enable logging.

The next step that you will need to take on your client’s is to create a new Microsoft Windows firewall rule to allow UDP port 514 to establish outgoing connections. When the Windows firewall and event security screen comes up right-click the option that says outbound rules and select new rule. Under the new rule type we will be selecting the port option. When sure done select the next button, and select the option that says UDP under ”does this rule apply to TCP or UDP?”. Under the text box that says specific remote ports make sure you enter import 514. UDP port 514 is the standard syslog port.

Once your client is installed open your web browser and go to local host port 6161. Login if you set a username and password, and then go to the network configuration option. Under the option for destination snare server address please enter in the address of your snare backlog server. Make sure you change your destination port to port 514, check the box labeled “allow snare to automatically set audit configuration”, check the box labeled “allow snare to automatically set file audit configuration”, check the box labeled “export snare log it to a file”, finally select the box labeled “enable syslog header”. For the syslog facility dropbox select the “syslog” option, and under syslog priority select “dynamic”.

Once all of your software is installed you may want to configure where you will place your log files. If you want to change any of your configuration options you will have to right-click on the backlog icon, and select run as administrator. From there if you select the button with the gears icon on it the software will present you various formats to save your logs in, and locations of logging options. I personally like to save my logs in the format of date and server name. Also be aware that snare does not manage its log file sizes so you will want to be sure to place these log files on a disk with plenty of space. Now as long as you followed all of these steps you should have a fully functioning syslog environment for all of your Windows servers. If something is unclear, or if you are unable to follow along please view the video as each of these steps are displayed.

Thank you for joining us in following along on our syslog tutorial for Windows server, please do follow us on twitter, and please subscribe to us on YouTube. If you have any comments or feedback these feel free to post, or send us feedback to the contact page.