Hi, Brian Hymer with Quest here. Let's talk about collecting those custom applications and services logs with interest. Interest, if you don't know, is Quest's native event log collector. We can collect from a wide variety of hosts and applications. But today, I want to talk about custom logs, those custom applications that are running on Windows servers. Now, if you're not aware, interest is just one piece of our portfolio of Microsoft auditing and management solutions. These solutions can present their data in a single pane of glass using IT security search, which we provide for free for anyone owning the products that are listed here.
It's not in scope today, but I encourage you to take a look at this tool. It's a great solution for looking at your log data and auditing your environment. Just to keep things in perspective, our focus today is how to configure interest to collect those application and services logs that appear here, in event viewer. Interest can collect any of these logs in real time, allowing you to centralize, archive, and search through these logs from a single console. You may not know this, but event data in its raw form can be very hard to read.
Interest uses the same APIs that the windows event viewer does to translate that raw data into more readable forms and then stores both the raw and the result values in its repository. Some examples are shown here. For example, raw data of 2313, this is a nationalization code. So in English, it would show unknown username or bad password. But in French-- well, it would show that in French. I don't speak French. So I can't really tell you. Or you may have SIDS that are well-known SIDS or maybe even SIDS unique to your environment.
Interest will convert those and show you the actual account names so that you see those when you look at the data months or even years from now. In addition, Interest uses normalization into what we like to call the 6 W's, that's who, when, what, where, where from, and whom. Now, when it comes to logs that Interest doesn't know well or undefined logs, we normalize up to four of those W's, where-- that's a computer that even came from-- when-- that's the logged time stamp as we can see here-- who-- that's the user field. Sometimes a user field is not filled in, but we do translate that user from its SID to its actual user name. And what, and that would be the event source, as we see here.
So here's just an example of print services log. Somebody wanted to collect that. And in the Event Viewer, you can see those fields showing. Let's get into it. OK, let's see how easy it is to set up a custom application log to get collected by Interest. So here on my Windows 7 box, I have just recently installed Sysmon. And so if I bring up event viewer and I drill into application and service logs, and then Microsoft, then Windows, and I scroll down far enough, I'll find Sysmon on there it is. So here's the Sysmon operational log. And you can see that data is already appearing in here. All you need to do to set this up with trust is give the log name.
So we'll open up the properties. And we'll take this log name here and just copy it to our clipboard. There we go. And then we'll take that back to interest. So I'll get out of this window. And I'll come back to interest. We'll go into deployment manager. That's this icon here. We'll go to one of our collections. Let's say it's the all servers collection. I'm just going to highlight that, right click, and say edit collection. And then if I hit next twice, I get to a list of data sources. These are event logs defined to interest. So I want to add a new event log. And that's our Sysmon log. I'll just go ahead and paste this value in that I found. And I can put some nice description here.
And you don't really need to type a description if you don't want to. I'll click OK. And we can see now, if I look on the list here, Sysmon operational log is selected. And then I'll just click next and finish. And now, data from that Windows 7 box would get collected along with this the Sysmon data. And I just have to wait for results. Now, if I wanted to collect the historical data for Sysmon, I'd need to go into interest manager. Interest manager allows us to run gathering jobs. And gathering jobs can get that historical data.
So if I come up here and look in data sources-- and I'll probably need a refresh here-- I probably will already see that Sysmon operational long because I added it. I can then go add that log to a gathering policy. And maybe I'll just call it Sysmon. So I'll make a new policy. Counter Sysmon. I'll add that data source. There it is. I won't say to ignore events. I'm just going to get everything I can. I'm not going to do log backup or anything like that because I'm only going to run this job once. I'm not going to filter any events.
So there's my policy with my log inside of it. And I'll finish that. So here I can see gather Sysmon. And then I just need to run that in a task that goes against the site that those workstations are in. So let's see. First of all, I'll find a site. All workstations is probably a good site. Let's just enumerate that. My Windows 7 box popped up right away in all workstations I have defined here as an object. So that's good. I'll come down here, get past gathering, get into my tasks. I'm just going to do an ad hoc task. So I have this ad hoc gather that I've got several jobs in. Oh, good, I only have one.
So let's just modify this one. I'm going to use the ad hoc policy I just made, the gather Sysmon policy. So there it is. And I'm going to point towards all workstations. There we go. So there's that. I'm going to drop it into my default interest repository. So that all looks good. I'll commit my changes. And then I'll just right click on the job and run it.
And once that gathering job finishes, we'll have our Sysmon data. OK, it looks like the data is done being collected. And I can go down here to the gathering job. And I can see I actually collected 273 events into the repository. So now that data is collected, I can get back out of interest manager. But if I come in to my repository viewer, and just look for that log. Get out of some of the things I'm in here. Maybe we'll just say by Log. I'll use one of these custom searches that I made, and clear that, and say Sysmon. And we'll go.
And here's my events. And I'm able to see those. And I want you to notice, also, that we did pull information in our normalization, what, where, who, and when. And this allows us to pull information using these normalized fields from across all logs.
09:08
