Windows Multi-Source

Example
yaml
sources:
  windows_events:
   type: wineventlog
   channels:
    - name: Application
    - name: Security 
    - name: System 
    - name: "Windows PowerShell"
    - name: ForwardedEvents
    - name: Microsoft-Windows-Sysmon/Operational
   parser: SampleWindowsParser
   sink: flc_windows_eventlog
  file_read:
   type: file
   include:
    - c:\temp\flc_files\csv_sample2.csv
   exclude: 
    - c:\temp\flc_files\ignore.txt
   parser: SampleFileParser
   sink: flc_windows_fileread
  syslog1:
   type: syslog
   mode: udp
   port: 514
   maxEventSize: 2048
   #receiveBufferSize: 131072
   sink: flc_windows_syslog1
  syslog2:
   type: syslog
   mode: tcp
   port: 514
   maxEventSize: 1048576
   receiveBufferSize: 1048577
   sink: flc_windows_syslog2
sinks:
 flc_windows_eventlog:
  type: humio
  token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX 
  url: https://XXX.YYY.ZZZ
  proxy: none
  tls:
   insecure: true
  maxEventSize: 8388608
  # Compression levels (1-9, 9 is highest).
  maxBatchSize: 16777216 
  compression: gzip
  compressionLevel: 9
  queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096
  workers: 8
  flc_windows_fileread:
   type: humio
   token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   url: https://XXX.YYY.ZZZ
   proxy: none
  flc_windows_syslog1:
   type: humio
   token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   url: https://XXX.YYY.ZZZ
   proxy: none
  flc_windows_syslog2:
   type: humio
   token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   url: https://XXX.YYY.ZZZ
   proxy: none
Introduction

This configuration enables log collection from multiple Windows-based sources using Falcon LogScale Collector. It includes native support for Windows Event Logs, file-based input , and Syslog over UDP and TCP. The configuration allows customization through optional parameters and supports parsing and routing to dedicated sinks for centralized analysis.

Step-by-Step
  1. yaml
    sources:
  windows_events:
   type: wineventlog
   channels:
    - name: Application
    - name: Security 
    - name: System 
    - name: "Windows PowerShell"
    - name: ForwardedEvents
    - name: Microsoft-Windows-Sysmon/Operational
   parser: SampleWindowsParser
   sink: flc_windows_eventlog

    This fragment configures a windows_events source to collect events from common Windows event channels like Application, Security and System etc.

  2. yaml
    file_read:
   type: file
   include:
    - c:\temp\flc_files\csv_sample2.csv
   exclude: 
    - c:\temp\flc_files\ignore.txt
   parser: SampleFileParser
   sink: flc_windows_fileread

    This fragment configures a file_read source to collect a specific CSV file, with an optional exclude path and a defined sink.

  3. yaml
    syslog1:
   type: syslog
   mode: udp
   port: 514
   maxEventSize: 2048
   #receiveBufferSize: 131072
   sink: flc_windows_syslog1

    This fragment sets up a syslog1 source using UDP on port 514 with a configurable max event size.

  4. yaml
    syslog2:
   type: syslog
   mode: tcp
   port: 514
   maxEventSize: 1048576
   receiveBufferSize: 1048577
   sink: flc_windows_syslog2

    This fragment defines a syslog2 source using TCP mode with increased buffer size for large event support.

  5. yaml
    sinks:
 flc_windows_eventlog:
  type: humio
  token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX 
  url: https://XXX.YYY.ZZZ
  proxy: none

    This fragment defines the base humio sink used by the Windows multi-source configuration.

  6. yaml
    tls:
   insecure: true
  maxEventSize: 8388608
  # Compression levels (1-9, 9 is highest).
  maxBatchSize: 16777216 
  compression: gzip
  compressionLevel: 9

    This fragment defines configuration for optional parameters such as TLS, compression, and batching settings for humio sink.

  7. yaml
    queue:
   type: disk
   fullAction: pause
   maxLimitInMB: 4096
  workers: 8

    This fragment defines a disk-based queue for the sink with flow control parameters for large-scale ingestion.

  8. yaml
    flc_windows_fileread:
   type: humio
   token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   url: https://XXX.YYY.ZZZ
   proxy: none

    This fragment configures the humio sink for the file read source, including token, endpoint URL, and proxy settings.

  9. yaml
    flc_windows_syslog1:
   type: humio
   token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   url: https://XXX.YYY.ZZZ
   proxy: none

    This frament configures the humio sink for the syslog1 source in the Windows Multi-Source configuration. It specifies the ingest token, endpoint URL, and proxy settings.

  10. yaml
    flc_windows_syslog2:
   type: humio
   token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   url: https://XXX.YYY.ZZZ
   proxy: none

    This frament configures the humio sink for the syslog2 source in the Windows Multi-Source configuration. It specifies the ingest token, endpoint URL, and proxy settings.

  11. Event Result set.

Summary and Results

This example demonstrates a multi-source configuration for Windows environments. It captures logs from Event Logs, CSV files, and Syslog inputs(UDP/TCP), with configurable parameters such as buffer sizes and parsers. Each source is routed to its respective sink to enable structured and efficient log analysis.