Windows Multi-Source (NG-SIEM)

Example
yaml
sources:
   windows_events:
    type: wineventlog
    channels:
     - name: Application
      excludeEventIDs: [903, 900]
     - name: Security
      onlyEventIDs: [4624, 4634, 4672]
     - name: System
     - name: Windows PowerShell
     - name: ForwardedEvents
    language: 1033
    format: renderFieldsOnly
    sink: next-gen-siem-windows
 fileRead:
  type: file
  include:
   - c:\temp\flc_files\csv_sample2.csv
  exclude: 
   - c:\temp\flc_files\ignore.txt
  excludeExtensions:
   - "gz"
   - "zip"
  multiLineBeginsWith: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
  sink: next-gen-siem-fileread
syslog_udp_1514:
  type: syslog
  mode: udp
  port: 1514
  sink: next-gen-siem-syslog-udp
  bind: "0.0.0.0"
  maxEventSize: 2048
syslog_tcp_1515:
  type: syslog
  mode: tcp
  port: 1515
  sink: next-gen-siem-syslog-tcp
  bind: "0.0.0.0"
  maxEventSize: 900000
sinks:
  next-gen-siem-windows:
  type: hec
  token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
  proxy: none  
  maxEventSize: 910000
  maxBatchSize: 12000000
  compression: gzip
  compressionLevel: 9
  workers: 4
  queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096
next-gen-siem-syslog-udp:
  type: hec
  token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
  proxy: none
  maxEventSize: 910000
  maxBatchSize: 12000000
  compression: gzip
  compressionLevel: 9
  workers: 4
  queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096
next-gen-siem-syslog-tcp:
  type: hec
  token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
  proxy: none
  maxEventSize: 910000
  maxBatchSize: 12000000
  compression: gzip
  compressionLevel: 9
  workers: 4
  queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096
Introduction

This configuration demonstrates how to collect and forward logs from multiple Windows-based sources into CrowdStrike NG-SIEM. It includes support for Windows Event Logs, local file ingestion, and Syslog messages recieved over both UDP and TCP. Each source is routed to a dedicated HEC sink with optional queuing and compression to support reliabile and scalable log ingestion.

Step-by-Step
  1. yaml
    sources:
   windows_events:
    type: wineventlog
    channels:
     - name: Application
      excludeEventIDs: [903, 900]
     - name: Security
      onlyEventIDs: [4624, 4634, 4672]
     - name: System
     - name: Windows PowerShell
     - name: ForwardedEvents
    language: 1033
    format: renderFieldsOnly
    sink: next-gen-siem-windows

    This fragment shows how to collect Windows Event Logs from channels like Application, Security, and PowerShell using the wineventlog source type.

  2. yaml
    fileRead:
  type: file
  include:
   - c:\temp\flc_files\csv_sample2.csv
  exclude: 
   - c:\temp\flc_files\ignore.txt
  excludeExtensions:
   - "gz"
   - "zip"
  multiLineBeginsWith: '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
  sink: next-gen-siem-fileread

    This fragment configures a file source for reading logs from local CSV files, with options to exclude specific files and extensions, and support for multiline log parsing.

  3. yaml
    syslog_udp_1514:
  type: syslog
  mode: udp
  port: 1514
  sink: next-gen-siem-syslog-udp
  bind: "0.0.0.0"
  maxEventSize: 2048

    This fragment configures a syslog_udp_1514 source using UDP on port 1514, including optional parameters such as max event size and binding to a specific address.

  4. yaml
    syslog_tcp_1515:
  type: syslog
  mode: tcp
  port: 1515
  sink: next-gen-siem-syslog-tcp
  bind: "0.0.0.0"
  maxEventSize: 900000

    This fragment configures a syslog_tcp_1515 source using TCP on port 1515, with optional settings such as max event size and network binding.

  5. yaml
    sinks:
  next-gen-siem-windows:
  type: hec
  token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
  proxy: none  
  maxEventSize: 910000
  maxBatchSize: 12000000
  compression: gzip
  compressionLevel: 9
  workers: 4

    This fragment defines the base sink for Windows logs with core settings such as event size, batch size, and optional compression.

  6. yaml
    queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096

    This optional fragment configures a disk-based queue for the Windows sink, which is used to buffer events during backpressure or disruptions.

  7. yaml
    next-gen-siem-syslog-udp:
  type: hec
  token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
  proxy: none
  maxEventSize: 910000
  maxBatchSize: 12000000
  compression: gzip
  compressionLevel: 9
  workers: 4

    This fragment defines the main configuration for the UDP Syslog used in NG-SIEM. It includes essential attributes such as ingest URL, token, event size, batch limits, and worker count.

  8. yaml
    queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096

    This fragment sets a disk-based queue configuration for the UDP Syslog, which is used to buffer log data during high ingestion load.

  9. yaml
    next-gen-siem-syslog-tcp:
  type: hec
  token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
  proxy: none
  maxEventSize: 910000
  maxBatchSize: 12000000
  compression: gzip
  compressionLevel: 9
  workers: 4

    This fragment defines the core configuration for the TCP Syslog sink in NG-SIEM, including token, ingest URL, compression, event and batch size limits, and worker count.

  10. yaml
    queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096

    This fragment sets up a disk-based queue for the TCP Syslog sink. Disk queues help buffer events during spikes or network issues, but may be slower than in-memory queues.

  11. Event Result set.

Summary and Results

This example sets up a multi-source configuration for NG-SIEM on Windows system. It ingests data from event logs, local files, and Syslog(UDP/TCP), routing each to its own sink with optional queue handling and compression enabled to optimize performance and reliability.