In order to send these logs to Devo, it is necessary to use an additional tool who will convert these events to syslog format. One of the most popular is Snare Agent for Windows from InterSectAlliance, available in open source and enterprise version. Snare allows to read the Windows event logs and forward them to a remote syslog server. To tag the logs, you can use on of these options:
- In-house Relay - recommended if you have a high volume of events to send (e.g.>10 machines). In this case,you have to set the Snare agent to send the logs to the In-house Relay IP at the 13002 (udp/tcp) port. This port is enabled by default on the In-house Relay and tags as box.win all the events coming trough the port.
- ProxyServerContainer Agent - this is a Devo agent that can be installed in a Windows machine and it will tag the received logs through a local port and securely send them to Devo. In this case, you need to configure Snare to send the logs to the localhost to the port configured in ProxiServerContainer. Please make sure that the port you set at ProxyServerContainer is the same you have configured in Snare and it is configured to tag the events as box.win