1. Information
2. Installation
-
Note: It will ask for the following additional installations.
-
Microsoft Visual C++ 2010 x86 Redistributable
-
Microsoft Visual C++ 2013 Redistributable (x86)
-
-
Run the Kiwi_Syslog_Server_9.8.1.Freeware.setup.exe file with administrative privileges.
-
Click I Agree.
-
Choose Install Kiwi Syslog Server as a Service.
-
Click Next.
-
Choose The LocalSystem Account.
-
Click Next.
-
Check Shortcuts apply to all users.
-
Check Add Start menu shortcut.
-
Uncheck Add Desktop shortcut.
-
Check Add QuickLaunch shortcut.
-
Uncheck Start-up shortcut.
-
Click Next.
Destination Folder C:\Program Files (x86)\Syslogd
-
Click Install.
-
Uncheck Run Kiwi Syslog Server 9.8.1.
-
Click Finish.
3. Configuration
-
Start Kiwi Syslog Server Console.
-
Select File > Setup.
-
Expand Rules.
-
Right-click Default and select Rename rule.
-
Type the first rule name Firewall log.
-
Expand Firewall log.
-
Right-click Filters and select Add filter.
-
Type
Local0for the New Filter. -
Select Local0.
-
Select Priority for the Field and Filter Type.
-
Select Local0.
-
Click the Enable button.
-
Click Apply.
-
Optional: Right-click Actions and select Add action.
-
Type
Displayfor the New Action. -
Select Display.
-
Select Display for the Action.
-
Select Display 00 (Default) for the Display number
-
Click Apply.
-
-
Optional: Right-click Actions and select Add action.
-
Type
Log to filefor the New Action. -
Select Log to file.
-
Select Log to file for the Action.
-
Type
C:\Program Files (x86)\Syslogd\Logs\Firewall log\Firewall-log-%DateISO.txtfor the Path and file name of log file. -
Select Kiwi format ISO yyyy-mm-dd (Tab delimited) for the Log file format.
-
Click Apply.
-
-
Right-click Rules and select Add rule.
-
Type
Web Filter logfor the New Rule. -
Expand Web Filter log.
-
Right-click Filters and select Add filter.
-
Type
Local1for the New Filter. -
Select Local1.
-
Select Priority for the Field and Filter Type.
-
Select Local1.
-
Click the Enable button.
-
Click Apply.
-
Optional: Right-click Actions and select Add action.
-
Type
Displayfor the New Action. -
Select Display.
-
Select Display for the Action.
-
Select Display 01 for the Display number
-
Click Apply.
-
-
Optional: Right-click Actions and select Add action.
-
Type
Log to filefor the New Action. -
Select Log to file.
-
Select Log to file for the Action.
-
Type
C:\Program Files (x86)\Syslogd\Logs\Web Filter log\Web-Filter-log-%DateISO.txtfor the Path and file name of log file. -
Select Kiwi format ISO yyyy-mm-dd (Tab delimited) for the Log file format.
-
Click Apply.
-
-
Expand and select Inputs.
-
Add 10.10.1.170 for the Receive messages from below IP addresses.
-
Click Apply.
-
Select UDP.
-
Check Listen for UDP syslog messages.
-
Type
514in the UDP Port (1 - 65535) field. -
Select System for the Data encoding.
-
Click Apply.
-
Click OK.
-
Close Kiwi Syslog Server Console.
4. Linux Logs
5. Windows Logs
-
Enter the following commands at a PowerShell Command Prompt.
Get-WinEvent -ListLog * | Where-Object { $_.LogName -match "CrowdStrike|Falcon" } $Events = Get-WinEvent -LogName "CrowdStrike-Falcon Sensor-CSFalconService/Operational" $Events |Where-Object { $_.Message -notmatch "exiting|starting" }ProviderName: CrowdStrike-Falcon Sensor-CSFalconService TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 2024-07-18 15:38:51 8 Information Functions of your USB device are restricted by your organization's policy. 2024-07-18 14:54:07 8 Information Functions of your USB device are restricted by your organization's policy. 2024-03-15 14:19:34 8 Information Functions of your USB device are restricted by your organization's policy. 2024-03-15 14:12:39 8 Information Functions of your USB device are restricted by your organization's policy. 2024-03-15 14:09:23 8 Information Functions of your USB device are restricted by your organization's policy.