Collect Logs for the PCI Compliance for Windows Legacy App
Collect Windows event logs as a data source for the PCI Compliance for Windows App.
This page provides instructions for configuring log collection for the PCI Compliance for Windows Legacy App.
Log Types
The PCI Compliance For Windows Legacy App uses Windows Security Event and System Event logs. It does not work with third-party logs.
Configure a Collector and a Source
To configure a collector and source, do the following:
- Configure an Installed Windows collector through the user interface or from the command line.
- Configure either a local or remote Windows Event Log source. To configure a Windows Event Log source set the following:
- Event Format. Select Collect using legacy format.
Collect using legacy format. Events retain their default text format from Windows.
- Event Format. Select Collect using legacy format.
For more information on local or remote Windows Event Log Source configuration, refer to Local Windows Event Log Source and Remote Windows Event Log Source.
Sample Log Message
instance of Win32_NTLogEvent { Category = 13571; CategoryString = "MPSSVC Rule-Level Policy Change"; ComputerName = "aphrodite.sumolab.org"; EventCode = 4957; EventIdentifier = 4957; EventType = 5; InsertionStrings = {"CoreNet-IPHTTPS-In", "Core Networking - IPHTTPS (TCP-In)", "Local Port"}; Logfile = "Security"; Message = "Windows Firewall did not apply the following rule: Rule Information: ID: CoreNet-IPHTTPS-In Name: Core Networking - IPHTTPS (TCP-In) Error Information: Reason: Local Port resolved to an empty set."; RecordNumber = 1441653878; SourceName = "Microsoft-Windows-Security-Auditing"; TimeGenerated = "20130411232352.140400-000"; TimeWritten = "20130411232352.140400-000"; Type = "Audit Failure"; };
Query Sample
Recent Policy Changes
_sourceCategory=OS/Windows/Events "Policy Change" | parse regex "CategoryString = \"(?<category>[^\"]+?)\";[\s\S]+?Logfile = \"Security\"" | count by category | where category matches "*Policy Change*"