Centralized SYSLOG and Windows Event Log

Configuring SYSLOG / Event Log on a Windows Device

 

Netmon’s complete Network Monitoring Solution can also be used as a centralized SYSLOG and Windows Event Log Server where you can quickly look through many Servers, Workstations or other Network devices’ SYSLOG and Event Log information without having to log into each individual device to see the same information.

Furthermore, with Netmon, you can create and generate email alerts based on any string of text pattern found within a specific event log, allowing you to be notified when that event occurs. This becomes very valuable if you know that a certain issue is recurring on a device and would like to catch it the next time it happens or if you simply want to be alerted when there are any issues on your network devices, including of course Windows Servers and workstations.

Unlike SYSLOG, Microsoft uses a different standard called Windows Event Logs. In order to import Windows Event Logs we have to install an agent on the Windows Server / Workstation in question which then will be pointed to your Netmon.

Download Windows Event Log Agent

Start by going to netmon.com/support/ and download the “SNARE Event Log Agent for Windows”.

You will now run the SNARE for Windows executable and run through the setup wizard

When presented with the Snare Auditing option as shown below, ensure the default option Yes is chosen to have Snare take control of your Event Log Configuration.

At the next screen leave the default option Use System Account as shown below.

download snare

 
Snare Auditing

 
Snare Account

 
You can now configure Remote Control of the SNARE application, we recommend Enabling Web Access, Disabling Password authentication & Local access only as shown below.

 
Remote Control Interface
 

You can now continue the installation by choosing the default options until the installation is complete.

 
After the installation has completed you can access the application by going to the start menu and looking for Intersect Alliance and choosing Snare for Windows.

 

snare for windows

 
You can also access Snare by going to http://localhost:6161 in your web browser.

Once you have access to Snare web interface you will want to navigate to the Network Configuration page.

Here you will configure Snare to send event logs to your Netmon device by filling in the below fields:

Destination Snare Server address:
Destination Port: 514
Enable SYSLOG Header?:
SYSLOG Priority: DYNAMIC

 
Snare Network Configuration

After configuration changes have been made click Change Configuration and you also need to click Apply the Latest Audit Configuration on the left side of you screen to complete the configuration changes.

Next you will choose Objective Configuration on the left side of you screen and apply the following changes:

Identify the high level events: Any event(s)
Identify the event types to be captured: Error, Warning & Critical
Identify the event logs: Application & System
Select the Alert Level: Critical

Snare filtering

After configuration changes have been made click Change Configuration and you also need to click Apply the Latest Audit Configuration on the left side of you screen to complete the configuration changes.

You have now completed the Snare configuration and can now create the Netmon device to capture the syslog events.

After signing into your Netmon device navigate to the Devices page and choose New Device. Fill in the fields and ensure you have the Enable Syslog option checked off. The Severity option you choose will capture any events above the selected option.

Notice: you can filter what type of event logs by minimum “severity” or “security” level you want to import into netmon. If you don’t care about any “Info” event logs you can ignore them and only import “warning” and above for example.

Now, when viewing the newly created device you can choose the Event Log tab in the device dashboard and see the syslog events that the Netmon is now capturing.

 
syslog in netmon
 

With Netmon you will be able to quickly browse through many Servers’, Workstations’ and other devices’ event logs all in one centralized platform.

 
add device syslog

syslog event log

 
Lastly, now that netmon is capturing these event logs, you can also create alerts based on events and text patterns by choosing the Manage Alerts button under the Event Logs Tab.

 
add syslog alerts

There are many more uses, configurations and examples of what can be done with Netmon’s Network Monitoring Solution. Please don’t hesitate to contact us should you have any questions.

You can also go to our demo where you can navigate through a live and working instance of netmon from our HQ, and finally, we can even do a phone and web session where we give you a full demo of the product.