search

palantir / windows-event-forwarding

A repository for using windows event forwarding for incident detection and response
Other
1.22k stars 268 forks source link

DUMMY_EVENT & DUMMY_TEMPLATE in custom channels #22

Closed postbluecz closed 6 years ago

postbluecz commented 6 years ago

Hi, can you please explain why you´ve created DUMMY_EVENT and DUMMY_TEMPLATE in custom channels? I just can´t figure out whether it is important or not.

Thank you

Tom

happy-jo commented 6 years ago

@postbluecz, It is important to have the dummy event and template. Inorder for the Event channel to operate properly, it needs to understand how is will receive data and these templates are the implementation of that understanding. Without them the channels would not function correctly. (And will not even save if I remember correctly.)

Keep in mind that the Event Channels are a way of keeping your data seperated and organized with in the Event log system. When dealing with complex organizations, this comes in handy when analysing your data in something like Splunk. In Splunk, every EventChannel shows up as a "Source" and thats searchable and a tsidx (stupid fast searching for tstats)

postbluecz commented 6 years ago

Thanks for explanation @happy-jo!

But to be honest, I did it without dummy events and templates and it all works fine. I think it does add some defaults in compiling, if the manifest does not provide one. I was just wondering whether they have some special purpose that eluded me.

I use the custom channels almost exclusively as a "cache" on forwarders until they go to SIEM, but even for that, the level of granular control they provide is invaluable.