Skip to main content
Sumo Logic

Collect Logs for the PCI Compliance for Windows Legacy App

Collect Windows event logs as a data source for the PCI Compliance for Windows App.

This page provides instructions for configuring log collection for the PCI Compliance for Windows Legacy App.

Log Types

The PCI Compliance For Windows Legacy App uses Windows Security Event and System Event logs. It does not work with third-party logs.

Configure a Collector and a Source 

To configure a collector and source, do the following: 
  1. Configure an Installed Windows collector through the user interface or from the command line.
  2. Configure either a local or remote Windows Event Log source. To configure a Windows Event Log source set the following:
    • Event Format. Select Collect using legacy format.

      Event_Format_Legacy.png

      Collect using legacy format. Events retain their default text format from Windows.

For more information on local or remote Windows Event Log Source configuration, refer to Local Windows Event Log Source and Remote Windows Event Log Source.

Sample Log Message

instance of Win32_NTLogEvent
{
    Category = 13571;
    CategoryString = "MPSSVC Rule-Level Policy Change";
    ComputerName = "aphrodite.sumolab.org";
    EventCode = 4957;
    EventIdentifier = 4957;
    EventType = 5;
    InsertionStrings = {"CoreNet-IPHTTPS-In", "Core Networking - IPHTTPS (TCP-In)", "Local Port"};
    Logfile = "Security";
    Message = "Windows Firewall did not apply the following rule:

    Rule Information:
    ID: CoreNet-IPHTTPS-In
    Name: Core Networking - IPHTTPS (TCP-In)

    Error Information:
    Reason: Local Port resolved to an empty set.";
    RecordNumber = 1441653878;
    SourceName = "Microsoft-Windows-Security-Auditing";
    TimeGenerated = "20130411232352.140400-000";
    TimeWritten = "20130411232352.140400-000";
    Type = "Audit Failure";
};

Query Sample

Recent Policy Changes

_sourceCategory=OS/Windows/Events "Policy Change"
| parse regex "CategoryString = \"(?<category>[^\"]+?)\";[\s\S]+?Logfile = \"Security\""
| count by category
| where category matches "*Policy Change*"