enVision MicrosoftWindows Collector Configuration Guide

Copyright © 2012 EMC Corporation. All Rights Reserved.

Microsoft WindowsLast Modified: Sunday, April 29, 2012

Event Source (Device) Product InformationVendor Microsoft

Event Source (Device) Windows

Supported Versions l NT, 2000, XP, 2003, Vista Business,

Ultimate, and Enterprise - using SNARE

or the legacy agentless collector

l Server 2008 - Agentless, using SNARE, or

using File Reader Service

l Windows Server 2008 Enterprise with

Hyper-V, Server 2008 R2 Standard,

Enterprise, and Datacenter - Agentless or

using SNARE

l Web Server 2008 R2 - Agentless or using

SNARE

l 7 Professional, Ultimate, and Enterprise -

Agentless

Note: To support Exchange Auditing logs inMicrosoft Exchange 2007 SP2 or later, you need

to install the EBF: ENV-36943. For details,

contact RSA enVision Customer Support.

RSA Product InformationSupported Version RSA enVision 4.0 and 4.1

Event Source (Device) Type Agentless = winevent_nic, 30

Using third-party collection agent - Adiscon EventReporter = winevent_er, 15

Using third-party collection agent - InterSect-AllianceBackLog = winevent, 14

Using third-party collection agent - InterSect AllianceSNARE = winevent_snare, 20

Collection method agentless = Windows Event Logs

using third-party agent = syslog

Event Source (Device) Class.Subclass Host.Windows

Content 2.0 Table Windows

This document contains the following information for the Microsoft Windows event source:

l Configuration Instructions

l Release Notes for Content 2.0

l Release Notes for Standard Content

RSA Event Source Configuration Guide

http://www.microsoft.com/

RSA Event Source

Microsoft Windows Configuration Instructions

You must complete the following tasks to set up Microsoft Windows to send events to the RSA enVision

platform:

I. Set up the remote and target systems

II. Set up Windows file or folder auditing

III. Set up collection

2 Microsoft Windows

Setting Up the Remote and Target SystemsTo set up the remote and target systems, you must do the following:

1. Set Up Event Logs

2. Set Up Windows Auditing

Set Up Event Logs

Note: To ensure that logs are continuously forwarded to the RSA enVision platform, you must set the log

setting so that the log files do not reach maximum size.

To set up event logs:1. Click Start > Settings > Control Panel > Administrative Tools > Event Viewer.

2. Right-click System, and select Properties.

3. Select Overwrite events as needed.

4. Click Apply, and click OK.

5. Repeat steps 2 to 4 for Application and Security logs.

Set Up Windows AuditingImportant: To set up auditing for your specific needs, consult your IT department and the OS

documentation.

There are several options for auditing Windows. The following example from Microsoft describes how to

enable local Windows security auditing.

To set up auditing:1. Log on to Windows with an account that has administrative credentials.

2. Click Start > Settings > Control Panel > Administrative Tools.

3. Double-click Local Security Policy to start the Local Security Settings MMC snap-in.

4. Double-click Local Policies to expand the folder, and double-click Audit Policy.

5. In the right pane, double-click the policy that you want to enable or disable.

6. Select Success (audited security access attempt that succeeds), Fail (audited security access

attempt that fails), or both for logging on and logging off.

Setting Up the Remote and Target Systems 3

RSA enVision Event Source

RSA Event Source

Setting Up Windows File or Folder AuditingSet up auditing to detect and record security-related events, such as when a user attempts to access a

confidential file or folder. When you audit an object, an entry is written to the Windows Security log

whenever the object is accessed in the specified way. You determine which objects to audit, whose

actions to audit, and exactly which types of actions to audit. After you set up auditing, you can track users

who access specified objects and analyze security breaches. The audit trail can show who performed the

actions and who tried to perform actions that are not permitted.

Because the Security log is limited in size, select the fields and folders to audit carefully. Also consider

the amount of disk space that you are willing to allocate to the Security log. You define the maximum size

in the Windows Event Viewer.

Important: : For Active Directory 2008 auditing, see the Microsoft Technet article, AD DS Auditing

Step-by-Step Guide. Go to http://technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx.

To set up file or folder auditing:1. Open Windows Explorer, and locate the file or folder that you want to audit.

2. Right-click the file or folder, and select Properties.

3. On the Security tab, click Advanced, and click the Auditing tab.

4. Do one of the following:

l To set up auditing for a new group or user, click Add. In the Name field, enter the name of

the user that you want to audit, and click OK.

l To view or change auditing for an existing group or user, click the group or user, and click

View/Edit.

l To remove auditing for an existing group or user, click the group or user, and click Remove.

Go to step 6.

5. If you are adding or editing a group or user, do the following:

a. In the Access list box, for each type of access that you want to audit, select Successful,

Failed, or both.

b. To prevent files and subfolders in the tree from inheriting these audit entries, select Apply

these auditing entries.

c. Click OK.

6. Click OK.

Note: If the checkboxes in the Access list box in the Auditing Entry dialog box are unavailable, or if theRemove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from

the parent folder.

4 Setting Up Windows File or Folder Auditing

http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx

Setting Up CollectionYou can set up either of two methods of collection for Windows logs:

l Set Up Agentless Collection

l Set Up Third-Party Collection Services

Note: If you cannot collect messages from a Windows Server 2003 or 2008 event source, set up the

Remote Registry Service account to run as the LocalSystem, not LocalService.

Important: You must have administrator privileges to read the event logs and retrieve the Applicationand System messages. You can get security messages without administrator privileges if you setManage

auditing and security log policy for the user.

Setting Up Collection 5


RSA Event Source

Setting Up Agentless CollectionFor agentless collection of Windows messages, you have the following choices:

l The Windows Eventing Collector (requires separate installation of a new enVision collector)

l The Legacy Agentless Collector (does not require any additional downloads or configuration)

Windows Eventing CollectorBeginning with the August 2010 Event Source Update, there is a new agentless collector available, the

Windows Eventing Collector. For details, see RSA enVision Windows Eventing Collector Service

Deployment Overview Guide and the Microsoft Windows Eventing 6.0 Web Services AP Configuration

Guide and Release Notes.

PrerequisitesYou must be running RSA enVision 4.0 Service Pack 3 or newer. Additionally, ensure that you updated

the enVision platform by installing the following (available for download from SecurCare Online):

l v4.0SP3_WindowsEventing_SharedMemory.exe

l RSA_enVision_Windows_Eventing_Collector_Service.exe

l The June 2010 or later Event Source Update

Disable the Legacy CollectorIf you are using the Windows Eventing Collector, RSA recommends that you disable the legacy Windows

agentless collector. Otherwise, event collection is duplicated, and RSA enVision stores duplicate

message data in its database.

Note: If your environment contains both Windows Server 2008 and earlier Windows servers, make sure

you only disable the legacy collector for your Windows Server 2008 servers. The Windows Eventing

Collector Service cannot collect from servers earlier than Windows Server 2008.

To disable the legacy agentless Windows collector:1. On the enVision platform, click Overview> System Configuration.

2. Click Services > Device Services >Windows Service >Manage Windows Service.

3. Select the Windows Agentless Collector Service for each event source for which you are using the

Windows Eventing Collector Service.

4. Click Delete.

Enable Collection on the Hyper-V and Terminal Services Gateway ChannelsFollow these instructions only if you want to collect events from the Hyper-V or Terminal Services

(TS) Gateway channels.

6 Setting Up Agentless Collection

To collect from the Hyper-V or TS Gateway channels:1. Add or update the alias for the event source as follows:

a. Open a new command shell, and change directories to the E:\nic\enVision version\node_

name\collection-services\winevent directory.

b. Run one of the following commands:

l To add a new alias, type:

wineventconfig.exe -a

l To edit an existing alias, type:

wineventconfig.exe -e

c. Follow the prompts to provide your information. For details, see the enVision Online Help.

d. Enter the list of channels to which you want to subscribe. Use a comma as the delimiter

between channel names.

Note: You must enter the names as written in the list below. If you misspell any channel name,events from that channel are not collected.

2. To test your configuration, type:

wineventconfig.exe -t.

Channel List for Hyper-V and TS GatewayThe following channels are available for Hyper-V events:

l Channel Microsoft-Windows-Hyper-V-Config-Admin

l Channel Microsoft-Windows-Hyper-V-Config-Operational

l Channel Microsoft-Windows-Hyper-V-Hypervisor-Admin

l Channel Microsoft-Windows-Hyper-V-Hypervisor-Operational

l Channel Microsoft-Windows-Hyper-V-VMMS-Admin

l Channel Microsoft-Windows-Hyper-V-Worker-Admin

l Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Admin

l Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Operational

l Channel Microsoft-Windows-Hyper-V-SynthStor-Admin

l Channel Microsoft-Windows-Hyper-V-Integration-Admin

l Channel Microsoft-Windows-Hyper-V-SynthNic-Admin

The following channels are available for TS Gateway events:

l Channel Microsoft-Windows-TerminalServices-Gateway/Admin

l Channel Microsoft-Windows-TerminalServices-Gateway/Operational

Legacy CollectorThe NIC Windows Service retrieves Windows logs from remote systems without installing any third-

party software. This method is known as agentless Windows collection.

Setting Up Agentless Collection 7


RSA Event Source

If you use agentless collection, the Remote Registry Service must be running on the remote server. This

service allows a remote station to access the event logs.

If you use a third-party collection application or an agent, you do not need to configure the NIC Windows

Service.

8 Setting Up Agentless Collection

Setting Up Third-Party Collection ServicesThe RSA enVision platform supports Windows logs collected by InterSect Alliance SNARE BackLog,

InterSect Alliance SNARE for Windows, and Adiscon EventReporter and DNS Server. You can set up

collection by any of the following:

l InterSect Alliance SNARE BackLog

l InterSect Alliance SNARE

l Adiscon EventReporter and DNS Server

Note: If you install the SNARE agent on a Windows Vista or Server 2008 system, you must use SNARE

for Windows Vista version 1.1.1.

Set Up InterSect Alliance SNARE BackLog

To set up InterSect Alliance SNARE BackLog:1. Set the Target Host to the hostname of the RSA enVision appliance collecting the events.

2. Set the Syslog Category to Syslog - Debug.

3. Set the Delimiter to Comma.

Note: If you set these incorrectly, you can run configurator.exe, located in the installationdirectory (the default installation directory is C:\Program Files\Backlog).

Set Up InterSect Alliance SNAREThe RSA enVision platform supports SNARE for Windows 4.0.0.2 and earlier, and SNARE for Windows

Vista 1.1.1.

Note: DNS server logs are not supported by SNARE for Windows Vista 1.1.1 on Windows Server 2008.

To set up InterSect Alliance SNARE:1. Set the Destination Snare Server Address to the IP address of the RSA enVision appliance

collecting the events.

2. Set the Destination Port to 514.

3. If you use SNARE for Windows 4.0.0.2 and later, ensure that the following options are selected:

Note: If you use an earlier version of SNARE for Windows, skip this step.

l Allow SNARE to automatically set audit configuration.

l Allow SNARE to automatically set file audit configuration.

4. Set the Syslog facility to Syslog.

5. Set the Syslog Priority to Debug.

Setting Up Third-Party Collection Services 9


RSA Event Source

6. Ensure that Enable Syslog Header is selected.

7. Copy the SNAREdelimiter.reg file from the \etc\devices\winevent_snare directory on the

enVision appliance to the machine on which you installed SNARE.

8. To update the SNARE registry with the proper delimiter setting, right-click the

SNAREdelimiter.reg file, and selectMerge. When prompted to continue, click Yes.

9. On the Windows Start menu, click Settings > Control Panel > Administrative Tools >

Services.

10. Restart the SNARE service.

To install and set up InterSect Alliance SNARE on Windows Server 2008 Server Core:1. ClickMy Computer > Tools >Map Network Drive, and follow these steps to map a drive:

a. From the Drive drop-down list, select the drive which you want to map.

b. In the Folder field, enter the IP address of the drive to be mapped.

For example, if the IP address of the core server machine is 1.1.1.1 and the drive to be

mapped is C:, enter \\1.1.1.1\c$ in the Folder field.

c. Select Reconnect at logon.

d. Select Connect using a different user name option, and enter the logon credentials for the

Server Core machine.

2. Create a new directory on Server Core, such as C:\files.

3. Copy the SNARE installation file (downloaded from

http://www.intersectalliance.com/projects/SnareWindows/index.html#Download to the local

machine) and the .reg file (from the \etc\devices\winevent_snare directory on the enVision

appliance) to the directory that you created in step 2.

4. Follow these steps to install SNARE on the Server Core installation:

a. Open a command shell, and change directories to the directory that you created in step 2.

b. To install SNARE, type:

C:\files\SnareSetupVista-1.1.1-MultiArch.exe

Note:When installing the SNARE agent on a Server 2008 Server Core installation, you

must set the Remote Control Interface setting to YES – with password. If this option is

not selected, the SNARE agent can only be configured through the registry.

c. To update the SNARE registry with the proper delimiter setting, type:

C:\files\SNAREdelimiter.reg

When prompted to continue, click Yes.

5. To configure the settings through the Internet, connect to the interface through a web browser.

For example if the IP address of the Server Core host is 1.1.1.1, go to http://1.1.1.1:6161/

10 Setting Up Third-Party Collection Services

http://www.intersectalliance.com/projects/SnareWindows/index.html#Download

Note: If a firewall prevents the connection, to make a rule that allows connection to the webinterface, you can run the command:

C:\ netsh advfirewall set all profiles firewallpolicy allowinbound,allowoutbound

6. To configure the settings, follow steps 1 to 6 of the preceding SNARE setup procedure.

7. Follow these steps to restart the service:

a. To stop the service, at the command prompt, type:

C:/sc stop snare

b. To start the service, type:

C:/sc start snare

c. To verify that the SNARE service is running, type:

C:/sc query snare

Setting Up Adiscon EventReporter and DNS ServerThe RSA enVision platform supports EventReporter 8.1.

Note: By default, DNS server logging is not selected.

Note: The Default EventLog Monitor Service is compatible only with Windows Server 2008 Enterprise

Edition. The service is not compatible with Windows Server 2008 Standard Edition and is therefore not

supported by the enVision platform.



RSA Event Source

You must complete the following tasks to set up Adiscon EventReporter and DNS Server:

I. Set up EventReporter

II. (Optional) Set up Hyper-V

III. Set up DNS server logging

Set Up Adiscon EventReporter

To set up Adiscon EventReporter:1. From the Windows Start menu, click Programs > EventReporter >

EventReporterConfiguration.

2. In the left-hand panel, double-click Configured Services, and follow these steps:

a. Click Default EventLog Monitor > Advanced Options.

b. Select Use Legacy Format.

c. Select only Add Facilitystring, Add Username, and Add Logtype.

d. Click Save.

3. Follow these steps to configure syslog forwarding:

a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog >

Actions.

b. Select Forward Syslog.

c. In the Syslog Server field, enter the IP address of the RSA enVision appliance collecting

the events.

d. Clear Add Syslog Source when forwarding to other Syslog servers.

e. Leave all other options at the default settings.

4. Restart the EventReporter service.

Set Up Hyper-VThis procedure is optional. Follow these steps only if you are configuring Hyper-V.

To configure Hyper-V:

Note: EventReporter 11.1 is required to configure Hyper-V support.

1. From the Windows Start menu, click Programs > EventReporter >

EventReporterConfiguration.

2. To create a rule set, follow these steps:

a. In the left-hand panel, right-click Rule Sets, and select Add Rule Set.

b. Name the rule set, and click Next.

c. Select Forward Syslog, and accept all other defaults to add the rule set.


d. Select your rule set from RuleSets, and click Forward Syslog > Actions > Forward

Syslog.

e. Accept all defaults, and complete the fields as follows:

l Syslog Server: The IP address of your RSA enVision appliance

l Message format: [%level%] %timegenerated%:

%user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: If you cut and paste the message format string, ensure that the string does not contain anyline or paragraph breaks.

3. To configure a service to use the rule set, follow these steps:

a. Right-click Configured Services, and click Add Service > Event Log Monitor V2.

b. Accept all defaults, and click Next.

c. Click Finish.

d. Click the new service.

e. By default, all items are selected. Clear all items except those that start with the string

Microsoft-Windows-Hyper-V.

Note: The Hyper-V items are under New EventLog - Serviced Channels > Microsoft

> Windows.



RSA Event Source

f. In the Rule Set to Use field, select your rule set.

g. Click Save.


Set Up DNS Server Logging

To set up DNS server logging:1. From the Windows Start menu, click All Programs > EventReporter > EventReporter

Configuration.

2. In the left-hand panel, double-click Configured Services, and follow these steps:

a. Click Default EventLog Monitor > Advanced Options.

b. Select Use Legacy Format.

c. Select only Add Facilitystring, Add Username, and Add Logtype.

d. Click OK.

3. Following these steps to configure syslog forwarding:

a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog >

Actions.

b. Select Forward Syslog.

c. In the Syslog Server field, enter the IP address of the RSA enVision appliance collecting

the events.

d. Clear Add Syslog Source when forwarding to other Syslog servers.

e. Leave all other options at the default settings.



Set Up the NIC File Reader ServiceImportant: You must select and enable debug logging options on the DNS server. For more information,see the Microsoft Windows 2008 DNS Server documentation located at http://technet.microsoft.com/en-

us/library/cc759581(WS.10).aspx.

To add Microsoft Windows 2008 through the NIC File Reader Service:1. Log on to the RSA enVision platform with administrative credentials.

2. Select Overview > System Configuration > Services > Device Services >Manage File Reader

Service.

3. Click Add.

4. Complete the fields as follows.

Field Action

IP address Enter the IP address of theMicrosoft Windows DNS server.

File reader type SelectWINDNS.

5. Ensure that Start File Reader Service on Apply is selected.

6. Click Apply.

7. To restart the NIC Service Manager, follow these steps:

a. On your enVision appliance, click Start > Administrative Tools > Services.

b. From the list, click NIC Service Manager.

c. Click Restart the service.

Set Up the NIC File Reader Service 15


RSA Event Source

Content 2.0 Release Notes

Microsoft Windows Release Notes (20120429-082422)

New and Updated Event Messages in Microsoft Windows

For complete details on new and updated messages, see the Event Source Update Help.

16 Content 2.0 Release Notes




Content 2.0 Release Notes 17


RSA Event Source










RSA Event Source








What's New in This Release

RSA has added support for SNARE for Windows 4.0.0.2.




What's New in This Release

When you upgrade to Content 2.0, the following report names map as follows:

Note: Although old reports are not compatible with Content 2.0, RSA has not removed the old reportnames from the GUI.

Old Report Name Content 2.0 Report Name

Computer Account Changes -Windows Server 2003 Computer Account Changes

User Group Account Changes -Windows Server 2003 User Group Account Changes

Trusted Domain Changes -Windows Server 2003 Trusted Domain Changes

User Rights Changes -Windows Server 2003 User Rights Changes

Computers Added/Removed from Domain Computer Account Added/Removed

Applications by Users -Windows Server 2003 Applications by Users









RSA Event Source








Standard Content Release Notes




Standard Content Release Notes 23


Date post:	27-Oct-2014
Category:	Documents
Upload:	chriswithall
View:	1,463 times
Download:	6 times

enVision MicrosoftWindows Collector Configuration Guide

Documents