Windows Source (NG-SIEM)

Example
yaml
sources:
   windows_events:
    type: wineventlog
    channels:
     - name: Application
     - name: Security
     - name: System
     - name: Windows PowerShell
     - name: ForwardedEvents
    sink: next-gen-siem-windows
  
   syslog_udp_1514:
    type: syslog
    mode: udp
    port: 1514
    maxEventSize: 2048
    sink: next-gen-siem-syslog-udp
  sinks:
   next-gen-siem-windows:
    type: hec
    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
    maxEventSize: 910000
    maxBatchSize: 12000000
    workers: 4
  
   next-gen-siem-syslog-udp:
    type: hec
    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
    maxEventSize: 910000
    maxBatchSize: 12000000
    workers: 4
Introduction

This configuration provides a basic setup to collect Windows event logs and syslog messages in a Windows-based environment using the Falcon LogScale Collector for NG-SIEM. It defines two sources: - A wineeventlog source for standard windows logs (e.g. Application, Security, System). - A syslog source for inbound logs. Each source sends data to a dedicated HEC sink using unique tokens and ingest URLs.

Step-by-Step
  1. yaml
    sources:
   windows_events:
    type: wineventlog
    channels:
     - name: Application
     - name: Security
     - name: System
     - name: Windows PowerShell
     - name: ForwardedEvents
    sink: next-gen-siem-windows
  
   syslog_udp_1514:
    type: syslog
    mode: udp
    port: 1514
    maxEventSize: 2048
    sink: next-gen-siem-syslog-udp

    This fragment defines two input sources for NG-SIEM on Windows: - A windows_events source collecting logs from multiple standard Windows channels. - A syslog_udp_1514 source receiving messages over UDP on port 1514. Each source is routed to a matching sink for further processing.

  2. yaml
    sinks:
   next-gen-siem-windows:
    type: hec
    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
    maxEventSize: 910000
    maxBatchSize: 12000000
    workers: 4
  
   next-gen-siem-syslog-udp:
    type: hec
    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
    maxEventSize: 910000
    maxBatchSize: 12000000
    workers: 4

    This fragment defines two HEC-based sinks: - One for the Windows event log source. - One for the Syslog UDP source. Each sink includes token, ingestion URL, and tuning parameters like max event size, batch size and worker count.

  3. Event Result set.

Summary and Results

This configuration defines a minimal NG-SIEM setup for collecting structured logs from Windows hosts. It uses the wineventlog source to monitor critical Windows event channels and a syslog UDP listener to recieve logs from external devices. Each source is paired with a matching hec sink that routes data to the Crowdstrike ingest endpoint, with support for batching, compression, and optional queuing.