Home
" Having the to many logs issue?!!" This might help. You tell SWELF the log source and/or the event ID and/or the key words and/or the number of chars in log and/or the length of the commandline, and/or the length of the log itself and the SWELF app will send just that log to your SIEM, from a windows machine and in syslog format. RAW eventlog XML format, and a mixture or eventdata in xml as a syslog message. To get started learning about SWELF click HERE
Now in early release.
SWELF is designed to be simple enough for almost anyone to use as Windows Eventlog forwarding software. The software will 1st search your logs for what you want then forward or copy just those logs (if you told it to). SWELF is currently early release software. The warning for you here is that bugs may crash SWELF, features may not work as desired, or in some cases, SWELF may cause issues on a machine on which it is run (but its unlikely). However, this also means I'm taking feature requests (even if you don't code). I would like any feedback during the early release on phase on anything that pops up for you.
This app is primarily a log forwarder and with the ability to search and forward just the logs you want or at least as close to it as you want. This means that you can tell your log forwarding agent (SWELF) exactly what logs to forward and it won't forward the rest (This will help with that pesky "to many logs", "we cant send those logs its to much noise", or "the SIEM cant handle all the logs" issues with SIEMs and IT Departments).
For example, you want Powershell logs (don't lie to yourself every security person does, or at least you better). You know what you want them to have in the log, or what they should looks like, or how long they are, or some keyword, then SWELF will forward in order just the logs to your network location on syslog (514)/udp.
The goal here is ideally between this app, Sysmon (or another way to monitor commandline, network connections on the endpoint, and generate hashs (sha256) for running stuff), properly configured Powershell Logging (script block logging), configured your other favorite log sources to get everything you want/need, a SIEM or Log collector (SIEM recommended)(To sort through what your do want to forward), and a little review of your log data you could in theory make a leap forward in finding the footprints that alot of security solutions just cant seem to find (fileless).
Open and issue we will chat it out. (BE A NICE HUMAN) Also please copy and paste the agents error log into issue. Shy? Hit me up on twitter.
Contribution or Recommendations:
Open an issue and TAG it, more detail the better. Shy? Hit me up on twitter. If you can code it open a pull request.
)