Output to Syslog/Gelf

[ion-storm]

Very nice tool, already using a built version of this. I would love to see an additional output for Syslog/Gelf output for SIEM's like Graylog or other logging platforms.

[FuzzySecurity]

Hey @ion-storm

This issue is resolved now in v0.5. I have added the Windows event log as a supported output format for SilkETW. If "-ot" is set to "eventlog" then all trace events will be written to "Applications and Services Logs\SilkETW-Log". With these changes you should be able to pull in the logs using Winlogbeat.

There are some minor things to take note of. The log has four event id types and associated JSON data:

(1) Event ID = 0 -> Collector start

{
  "Collector": "Start",
  "Data": {
    "Type": "User",
    "Provider": "Microsoft-Windows-DotNETRuntime",
    "Keywords": "0x2038",
    "FilterOption": "None",
    "FilterValue": "",
    "YaraPath": "",
    "YaraOption": "None"
  }
}

(1) Event ID = 1 -> Collector terminated by user

{
  "Collector": "Stop",
  "Error": false
}

(1) Event ID = 2 -> Collector terminated by error

{
  "Collector": "Stop",
  "Error": true,
  "ErrorCode": 3
}

(1) Event ID = 3 -> Event recorded This is just the raw JSON for the event that was recorded by the collector.

Please note that SilkETW is primarily a research tool in it's current state, I think what you really want is SilkService to deploy a headless ETW collector using a config file. This is in the works but not yet ready!

[ion-storm]

@fuzzysecurity let me know about silkservice, anxious to try it, if it's unreleased I can keep it private ;). I need more visibility asap.