From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Frank Wayne <firstname.lastname@example.org>
Cc: WireGuard mailing list <email@example.com>
Subject: Re: Windows Log Output to Event Viewer or Text File
Date: Thu, 14 Oct 2021 15:56:48 -0600 [thread overview]
Message-ID: <CAHmME9q9VB7eEsZCFUqo8XG7qj1pe2RwgLezJEHueF4_AjmA4A@mail.gmail.com> (raw)
On Thu, Oct 14, 2021 at 3:45 PM Frank Wayne
> The service approach is interesting, too. It would be simpler to ingest.
I started writing this, and got something basically working, but got a
bit tripped up in annoying lifetime issues of registering an event log
"source" in the registry, and the boggling configurability there. I'm
kind of shying away from it after an initial stab...
To answer the more concrete questions about a tail approach:
> Will every host have WireGuard installed? Forever?
This is a tougie, I guess in the same way that scooping up
non-streamed file-based logs are: at some point you have to do a sweep
to see if there are new files to grab, or in this case, if wireguard
has been installed. So on one hand, "polling" is pretty gnarly, but on
the other hand, you do that anyway for file-based logs I imagine.
There are probably other SCM-based or MSI-event based ways of doing
this without polling that are more complicated.
Does Splunk have any condition logic like, "do this collection routine
if file F exists; otherwise wait to do it until it exists"? If that
kind of thing is built in, then you're done. If not I agree this is an
> Is wireguard.exe in the PATH? For the user that Splunk runs under?
Yes. It's added to the system PATH.
> Should the script check the registry for the executable's location if it's not in the path?
No. The installer always sets PATH.
> Does that user have permissions to the WireGuard program directory?
Hmm. Here indeed is where the granular decoupled permission system of
Event Log comes in handy, I suppose. But in theory you should be able
to do the same for wireguard's log:
"%PROGRAMFILES%\wireguard\data\log.bin" is just a file path like any
other, and you can adjust its permissions accordingly. By default its
parent directory is O:SYG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA), but
you could set a more particular ACL for log.bin itself.
> Can we run that script on endpoints without checking each team's security policy regarding in-house software running executables outside of its scope?
I imagine probably so in the sense that wireguard.exe is already
executed several times in a few different funny roles, so things might
already be sufficiently permissive. Have you seen any wireguard.exe
policies being passed around places? If you've got a link, I'd be
curious to see what people are doing.
next prev parent reply other threads:[~2021-10-14 21:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-08 20:50 Windows Log Output to Event Viewer or Text File Frank Wayne
2021-10-08 22:01 ` Jason A. Donenfeld
2021-10-12 21:39 ` Frank Wayne
2021-10-12 21:40 ` Jason A. Donenfeld
2021-10-13 13:29 ` Frank Wayne
2021-10-13 18:16 ` Jason A. Donenfeld
2021-10-14 17:41 ` Frank Wayne
2021-10-14 18:40 ` StarBrilliant
2021-10-14 19:40 ` Frank Wayne
2021-10-14 19:52 ` Jason A. Donenfeld
2021-10-14 20:02 ` Jason A. Donenfeld
2021-10-14 21:45 ` Frank Wayne
2021-10-14 21:56 ` Jason A. Donenfeld [this message]
2021-10-15 13:25 ` Frank Wayne
2021-10-26 10:05 ` Jason A. Donenfeld
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).