Windows Multi-Source (NG-SIEM)

Example
yaml
sources:
   windows_events:
    type: wineventlog
    channels:
     - name: Application
      excludeEventIDs: [903, 900]
     - name: Security
      onlyEventIDs: [4624, 4634, 4672]
     - name: System
     - name: Windows PowerShell
     - name: ForwardedEvents
    language: 1033
    includeXML: false
    sink: next-gen-siem-windows
 fileRead:
  type: file
  include:
   - c:\temp\flc_files\csv_sample2.csv
  exclude: 
   - c:\temp\flc_files\ignore.txt
  excludeExtensions:
   - "gz"
   - "zip"
  multiLineBeginsWith: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
  sink: next-gen-siem-fileread
  syslog_udp_1514:
   type: syslog
   mode: udp
   port: 1514
   sink: next-gen-siem-syslog-udp
   bind: "0.0.0.0"
   maxEventSize: 2048
  syslog_tcp_1515:
   type: syslog
   mode: tcp
   port: 1515
   sink: next-gen-siem-syslog-tcp
   bind: "0.0.0.0"
   maxEventSize: 900000
  sinks:
   next-gen-siem-windows:
   type: hec
   token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
   proxy: none  
   maxEventSize: 910000
   maxBatchSize: 12000000
   compression: gzip
   compressionLevel: 9
   workers: 4
  queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096
  next-gen-siem-syslog-udp:
   type: hec
   token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
   proxy: none
   maxEventSize: 910000
   maxBatchSize: 12000000
   compression: gzip
   compressionLevel: 9
   workers: 4
  queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096
  next-gen-siem-syslog-tcp:
   type: hec
   token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
   proxy: none
   maxEventSize: 910000
   maxBatchSize: 12000000
   compression: gzip
   compressionLevel: 9
   workers: 4
  queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096
       
          next-gen-siem-syslog-tcp:
            type: hec
       
            token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       
            url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
       
            proxy: none
        
            maxEventSize: 910000
        
            maxBatchSize: 12000000
       
            compression: gzip
            compressionLevel: 9
    
        
             workers: 4
       
          queue:
            type: disk
            fullAction: pause
            maxLimitInMB: 4096
Introduction

This configuration demonstrates how to collect and forward logs from multiple Windows-based sources into CrowdStrike NG-SIEM. It includes support for Windows Event Logs, local file ingestion, and Syslog messages recieved over both UDP and TCP. Each source is routed to a dedicated HEC sink with optional queuing and compression to support reliabile and scalable log ingestion.

Step-by-Step
  1. yaml
    sources:
   windows_events:
    type: wineventlog
    channels:
     - name: Application
      excludeEventIDs: [903, 900]
     - name: Security
      onlyEventIDs: [4624, 4634, 4672]
     - name: System
     - name: Windows PowerShell
     - name: ForwardedEvents
    language: 1033
    includeXML: false
    sink: next-gen-siem-windows

    This fragment shows how to collect Windows Event Logs from channels like Application, Security, and PowerShell using wineventlog source type.

  2. yaml
    fileRead:
  type: file
  include:
   - c:\temp\flc_files\csv_sample2.csv
  exclude: 
   - c:\temp\flc_files\ignore.txt
  excludeExtensions:
   - "gz"
   - "zip"
  multiLineBeginsWith: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
  sink: next-gen-siem-fileread

    This fragment configures a file source for reading logs from local CSV files, with options to exclude specific files and extensions and support for multiline log parsing.

  3. yaml
    syslog_udp_1514:
   type: syslog
   mode: udp
   port: 1514
   sink: next-gen-siem-syslog-udp
   bind: "0.0.0.0"
   maxEventSize: 2048

    This fragment configures a syslog_udp_1514 source using UDP on port 1514, including optional parameters such as max event size and binding to specific address.

  4. yaml
    syslog_tcp_1515:
   type: syslog
   mode: tcp
   port: 1515
   sink: next-gen-siem-syslog-tcp
   bind: "0.0.0.0"
   maxEventSize: 900000

    This fragment configures a syslog_tcp_1515 source using TCP on port 1515 , with optional settings such as max event size and network binding.

  5. yaml
    sinks:
   next-gen-siem-windows:
   type: hec
   token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
   proxy: none  
   maxEventSize: 910000
   maxBatchSize: 12000000
   compression: gzip
   compressionLevel: 9
   workers: 4

    This fragment defines the base sink for windows logs with core settings like event size, batch size, and optional compression.

  6. yaml
    queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096

    This optional fragment configures a disk-based queue for windows sink, used to buffer events during backpressure or disruptions.

  7. yaml
    next-gen-siem-syslog-udp:
   type: hec
   token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
   proxy: none
   maxEventSize: 910000
   maxBatchSize: 12000000
   compression: gzip
   compressionLevel: 9
   workers: 4

    This fragment defines the main configuration for the FileRead sink used in NG-SIEM. It includes essential attributes like ingest URL, token, event size, batch limits, and worker count.

  8. yaml
    queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096

    This fragment sets a memory-based queue configuration for the FileRead sink, used to buffer log data during high ingestion load. It is leightweight and suited for temporary queuing.

  9. logscale
    next-gen-siem-syslog-tcp:
   type: hec
   token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
   proxy: none
   maxEventSize: 910000
   maxBatchSize: 12000000
   compression: gzip
   compressionLevel: 9
   workers: 4

    This fragment defines the core configuration for the UDP Syslog sink in NG-SIEM, including token, ingest URL, compression, event and batch size limits, and worker count.

  10. yaml
    queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096

    This fragment sets up a disk-based queue for the UDP Syslog sink. Disk queues help buffer events during spikes or network issues but may be slower than in-memory queues.

  11. yaml
    next-gen-siem-syslog-tcp:
            type: hec
       
            token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       
            url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
       
            proxy: none
        
            maxEventSize: 910000
        
            maxBatchSize: 12000000
       
            compression: gzip
            compressionLevel: 9
    
        
             workers: 4

    This fragment defines the base configuration for the TCP Syslog sink used in NG-SIEM. It includes ingest token, URL, compression details, and resource limits.

  12. yaml
    queue:
            type: disk
            fullAction: pause
            maxLimitInMB: 4096

    This fragment configures the disk-based queue for the TCP Syslog sink. Disk queues help ensure reliability during network interruptions, though they may operate slower than memory queues.

  13. Event Result set.

Summary and Results

This example sets up a multi-source configuration for NG-SIEM on Windows system. It ingests data from event logs, local files, and Syslog(UDP/TCP), routing each to its own sink with optional queue handling and compression enabled to optimize performance and reliability.