Knowledge Base Community Release Notes Request Demo

Windows Event Logs

Stream Windows Event Logs directly to Panther over HTTPS

PreviousTracebit Logs NextWiz Logs

Last updated 3 months ago

Was this helpful?

Windows Event Logs

Stream Windows Event Logs directly to Panther over HTTPS

Overview

Panther supports ingesting Windows Event Logs through an , after they are forwarded with

How to onboard Windows Event Logs to Panther

Step 1: Create a new Windows Event Logs source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Windows Event Logs,” then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's , beginning at Step 5.
- When setting the Auth method for the source, we recommend using .
- Payloads sent to this source are subject to the .

After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.

Step 2: Configure Fluent Bit in Windows

- You must use winevtlog. Other modules are deprecated and will not work.
- If you are using Windows Server 2012, Use_ANSI True may be required.
- If in Step 1 you chose JSON as your HTTP Source's Stream Type, in the OUTPUT section, provide Format a value of json_lines.
Start Fluent Bit, passing the path to your new config file.

Fluent Bit configuration file examples

Ingest System and Security Logs

Configure the following in your Fluent Bit configuration file:

[INPUT] variables:
- Channels: Set this to System,Security
[OUTPUT] variables:
- Host: Enter your Panther URL.
  - Example: logs.instance-name.runpanther.net
- URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/.
  - Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
- Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
- Name: Set to http.
- TLS: Set to ON.
- Port: Set to 443.

[SERVICE]
    Flush 5
    Daemon off
    Log_Level info

[INPUT]
    Name         winevtlog
    Channels     System,Security
    Interval_Sec 1
    DB           winevtlog.sqlite

[OUTPUT]
    Name         http
    Match        *
    Host         logs.instance-name.runpanther.net
    Port         443
    URI          /http/cb015ee4-543c-4489-9f4b-testaa16d7a
    Header       x-sender-header {YOUR_SECRET_HERE}
    Format       json_lines
    TLS          On
    TLS.Verify   On

Ingest Sysmon Logs

- This process will create Windows Event Logs which Fluent Bit will ship to Panther.
Configure the following in your Fluent Bit configuration file:
- [INPUT] variables:
  - Channels: Set this to Microsoft-Windows-Sysmon/Operational
- [OUTPUT] variables:
  - Host: Enter your Panther URL.
    Example: logs.instance-name.runpanther.net
  - URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/.
    Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
  - Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
  - Name: Set to http.
  - TLS: Set to ON.
  - Port: Set to 443.

[SERVICE]
    Flush 5
    Daemon on
    Log_Level info

[INPUT]
    Name         winevtlog
    Channels     Microsoft-Windows-Sysmon/Operational
    Interval_Sec 1
    DB           winevtlog.sqlite

[OUTPUT]
    Name         http
    Match        *
    Host         logs.instance-name.runpanther.net
    Port         443
    URI          /http/cb015ee4-543c-4489-9f4b-testaa16d7a
    Header       x-sender-header {YOUR_SECRET_HERE}
    Format       json_lines
    TLS          On
    TLS.Verify   On

Supported log types

Windows.EventLogs

schema: Windows.EventLogs
description: Windows Event Logs
referenceURL: https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-elements
fields:
  - name: ProcessID
    description: Identifies the process that generated the event.
    type: string
  - name: ThreadID
    description: Identifies the thread that generated the event.
    type: string
  - name: TimeCreated
    description: The time stamp that identifies when the event was logged.
    type: timestamp
    timeFormats:
      - '%Y-%m-%d %H:%M:%S %z'
    isEventTime: true
  - name: EventID
    description: The identifier that the provider used to identify the event.
    type: string
  - name: ProviderName
    description: The name of the event provider that logged the event.
    type: string
  - name: ProviderGuid
    description: The globally unique identifier that uniquely identifies the provider.
    type: string
  - name: Qualifiers
    description: A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.
    type: string
  - name: Version
    description: The version number of the event's definition.
    type: string
  - name: Level
    description: The severity level defined in the event.
    type: string
  - name: Task
    description: The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
    type: string
  - name: Opcode
    description: The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
    type: string
  - name: Keywords
    description: A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
    type: string
  - name: EventRecordID
    description: The record number assigned to the event when it was logged.
    type: string
  - name: ActivityID
    description: A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
    type: string
    indicators:
      - trace_id
  - name: RelatedActivityID
    description: A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.
    type: string
  - name: Channel
    description: The channel to which the event was logged.
    type: string
  - name: Computer
    description: The name of the computer on which the event occurred.
    type: string
    indicators:
      - username
  - name: UserID
    description: The security identifier (SID) of the user in string form.
    type: string
    indicators:
      - username
  - name: Message
    description: The rendered message string of the event.
    type: string
  - name: StringInserts
    description: A list of arbitrary event-specific data. Created by fluent-bit
    type: json
  - name: ExtraEventData
    description: Extra Key Value pair map that is extracted from the Message field. This is a field added by Panther to allow for easy structued querying/detection writing.
    type: json