# Windows Event Logs

## Overview

Panther supports ingesting Windows Event Logs through an [HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http), after they are forwarded with [Fluent Bit.](https://docs.fluentbit.io/manual/)

## How to onboard Windows Event Logs to Panther

### Step 1: Create a new Windows Event Logs source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for “Windows Event Logs,” then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.\
   ![On the new log source setup page, the Windows Event Logs tile has been selected, and a slide out panel is shown. In the Transport Mechanism dropdown field, HTTP is selected. To its right is a Start Setup button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-62f6ffbdf62d420d25b82de52f863643c8da0154%2FScreenshot%202023-07-19%20at%202.43.36%20PM.png?alt=media)
5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * When setting the **Auth method** for the source, we recommend using [**Shared Secret**](https://docs.panther.com/data-transports/http#shared-secret).
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements).

After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.

### Step 2: Configure Fluent Bit in Windows

1. Follow the [Getting Started with Fluent Bit instructions](https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bit) to install Fluent Bit as a service.
2. Create a [Fluent Bit configuration file](https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file). See the [examples below](#fluent-bit-configuration-file-examples) for instructions on configuring System and Security log streaming or Sysmon log streaming.
   * You must use `winevtlog`. Other modules are deprecated and will not work.
   * If you are using Windows Server 2012, `Use_ANSI True` may be required.
   * If in Step 1 you chose **JSON** as your HTTP Source's **Stream Type**, in the `OUTPUT` section, provide `Format` a value of `json_lines`.
3. Start Fluent Bit, passing the path to your new config file.
   * To run Fluent Bit as a Daemon every time the machine starts, follow the [Windows Service instructions](https://docs.fluentbit.io/manual/installation/windows#windows-service-support).

#### Fluent Bit configuration file examples

{% tabs %}
{% tab title="System and Security Logs" %}
**Ingest System and Security Logs**

Configure the following in your Fluent Bit configuration file:

* `[INPUT]` variables:
  * **Channels**: Set this to `System,Security`
* `[OUTPUT]` variables:
  * **Host**: Enter your Panther URL.
    * Example: `logs.instance-name.runpanther.net`
  * **URI**: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with `/http/`.
    * Example: `/http/cb015ee4-543c-4489-9f4b-testaa16d7a`
  * **Header**: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
  * **Name**: Set to `http`.
  * **TLS**: Set to `ON`.
  * **Port**: Set to `443`.

```editorconfig
[SERVICE]
    Flush 5
    Daemon off
    Log_Level info

[INPUT]
    Name         winevtlog
    Channels     System,Security
    Interval_Sec 1
    DB           winevtlog.sqlite

[OUTPUT]
    Name         http
    Match        *
    Host         logs.instance-name.runpanther.net
    Port         443
    URI          /http/cb015ee4-543c-4489-9f4b-testaa16d7a
    Header       x-sender-header {YOUR_SECRET_HERE}
    Format       json_lines
    TLS          On
    TLS.Verify   On
```

{% endtab %}

{% tab title="Sysmon Logs" %}
**Ingest Sysmon Logs**

1. Configure `sysmon.exe` following the [guide by SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config).
   * This process will create Windows Event Logs which Fluent Bit will ship to Panther.
2. Configure the following in your Fluent Bit configuration file:
   * `[INPUT]` variables:
     * **Channels**: Set this to `Microsoft-Windows-Sysmon/Operational`
   * `[OUTPUT]` variables:
     * **Host**: Enter your Panther URL.
       * Example: `logs.instance-name.runpanther.net`
     * **URI**: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with `/http/`.
       * Example: `/http/cb015ee4-543c-4489-9f4b-testaa16d7a`
     * **Header**: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
     * **Name**: Set to `http`.
     * **TLS**: Set to `ON`.
     * **Port**: Set to `443`.

```editorconfig
[SERVICE]
    Flush 5
    Daemon on
    Log_Level info

[INPUT]
    Name         winevtlog
    Channels     Microsoft-Windows-Sysmon/Operational
    Interval_Sec 1
    DB           winevtlog.sqlite

[OUTPUT]
    Name         http
    Match        *
    Host         logs.instance-name.runpanther.net
    Port         443
    URI          /http/cb015ee4-543c-4489-9f4b-testaa16d7a
    Header       x-sender-header {YOUR_SECRET_HERE}
    Format       json_lines
    TLS          On
    TLS.Verify   On
```

{% endtab %}
{% endtabs %}

## Supported log types

### Windows.EventLogs

```yaml
schema: Windows.EventLogs
description: Windows Event Logs
referenceURL: https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-elements
fields:
  - name: ProcessID
    description: Identifies the process that generated the event.
    type: string
  - name: ThreadID
    description: Identifies the thread that generated the event.
    type: string
  - name: TimeCreated
    description: The time stamp that identifies when the event was logged.
    type: timestamp
    timeFormats:
      - '%Y-%m-%d %H:%M:%S %z'
    isEventTime: true
  - name: EventID
    description: The identifier that the provider used to identify the event.
    type: string
  - name: ProviderName
    description: The name of the event provider that logged the event.
    type: string
  - name: ProviderGuid
    description: The globally unique identifier that uniquely identifies the provider.
    type: string
  - name: Qualifiers
    description: A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.
    type: string
  - name: Version
    description: The version number of the event's definition.
    type: string
  - name: Level
    description: The severity level defined in the event.
    type: string
  - name: Task
    description: The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
    type: string
  - name: Opcode
    description: The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
    type: string
  - name: Keywords
    description: A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
    type: string
  - name: EventRecordID
    description: The record number assigned to the event when it was logged.
    type: string
  - name: ActivityID
    description: A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
    type: string
    indicators:
      - trace_id
  - name: RelatedActivityID
    description: A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.
    type: string
  - name: Channel
    description: The channel to which the event was logged.
    type: string
  - name: Computer
    description: The name of the computer on which the event occurred.
    type: string
    indicators:
      - username
  - name: UserID
    description: The security identifier (SID) of the user in string form.
    type: string
    indicators:
      - username
  - name: Message
    description: The rendered message string of the event.
    type: string
  - name: StringInserts
    description: A list of arbitrary event-specific data. Created by fluent-bit
    type: json
  - name: ExtraEventData
    description: Extra Key Value pair map that is extracted from the Message field. This is a field added by Panther to allow for easy structued querying/detection writing.
    type: json
```