Date post: | 27-Oct-2014 |
Category: |
Documents |
Upload: | chriswithall |
View: | 1,463 times |
Download: | 6 times |
Copyright © 2012 EMC Corporation. All Rights Reserved.
Microsoft WindowsLast Modified: Sunday, April 29, 2012
Event Source (Device) Product InformationVendor Microsoft
Event Source (Device) Windows
Supported Versions l NT, 2000, XP, 2003, Vista Business,
Ultimate, and Enterprise - using SNARE
or the legacy agentless collector
l Server 2008 - Agentless, using SNARE, or
using File Reader Service
l Windows Server 2008 Enterprise with
Hyper-V, Server 2008 R2 Standard,
Enterprise, and Datacenter - Agentless or
using SNARE
l Web Server 2008 R2 - Agentless or using
SNARE
l 7 Professional, Ultimate, and Enterprise -
Agentless
Note: To support Exchange Auditing logs inMicrosoft Exchange 2007 SP2 or later, you need
to install the EBF: ENV-36943. For details,
contact RSA enVision Customer Support.
RSA Product InformationSupported Version RSA enVision 4.0 and 4.1
Event Source (Device) Type Agentless = winevent_nic, 30
Using third-party collection agent - Adiscon EventReporter = winevent_er, 15
Using third-party collection agent - InterSect-AllianceBackLog = winevent, 14
Using third-party collection agent - InterSect AllianceSNARE = winevent_snare, 20
Collection method agentless = Windows Event Logs
using third-party agent = syslog
Event Source (Device) Class.Subclass Host.Windows
Content 2.0 Table Windows
This document contains the following information for the Microsoft Windows event source:
l Configuration Instructions
l Release Notes for Content 2.0
l Release Notes for Standard Content
RSA Event Source Configuration Guide
RSA Event Source
Microsoft Windows Configuration Instructions
You must complete the following tasks to set up Microsoft Windows to send events to the RSA enVision
platform:
I. Set up the remote and target systems
II. Set up Windows file or folder auditing
III. Set up collection
2 Microsoft Windows
Setting Up the Remote and Target SystemsTo set up the remote and target systems, you must do the following:
1. Set Up Event Logs
2. Set Up Windows Auditing
Set Up Event Logs
Note: To ensure that logs are continuously forwarded to the RSA enVision platform, you must set the log
setting so that the log files do not reach maximum size.
To set up event logs:1. Click Start > Settings > Control Panel > Administrative Tools > Event Viewer.
2. Right-click System, and select Properties.
3. Select Overwrite events as needed.
4. Click Apply, and click OK.
5. Repeat steps 2 to 4 for Application and Security logs.
Set Up Windows AuditingImportant: To set up auditing for your specific needs, consult your IT department and the OS
documentation.
There are several options for auditing Windows. The following example from Microsoft describes how to
enable local Windows security auditing.
To set up auditing:1. Log on to Windows with an account that has administrative credentials.
2. Click Start > Settings > Control Panel > Administrative Tools.
3. Double-click Local Security Policy to start the Local Security Settings MMC snap-in.
4. Double-click Local Policies to expand the folder, and double-click Audit Policy.
5. In the right pane, double-click the policy that you want to enable or disable.
6. Select Success (audited security access attempt that succeeds), Fail (audited security access
attempt that fails), or both for logging on and logging off.
Setting Up the Remote and Target Systems 3
RSA enVision Event Source
RSA Event Source
Setting Up Windows File or Folder AuditingSet up auditing to detect and record security-related events, such as when a user attempts to access a
confidential file or folder. When you audit an object, an entry is written to the Windows Security log
whenever the object is accessed in the specified way. You determine which objects to audit, whose
actions to audit, and exactly which types of actions to audit. After you set up auditing, you can track users
who access specified objects and analyze security breaches. The audit trail can show who performed the
actions and who tried to perform actions that are not permitted.
Because the Security log is limited in size, select the fields and folders to audit carefully. Also consider
the amount of disk space that you are willing to allocate to the Security log. You define the maximum size
in the Windows Event Viewer.
Important: : For Active Directory 2008 auditing, see the Microsoft Technet article, AD DS Auditing
Step-by-Step Guide. Go to http://technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx.
To set up file or folder auditing:1. Open Windows Explorer, and locate the file or folder that you want to audit.
2. Right-click the file or folder, and select Properties.
3. On the Security tab, click Advanced, and click the Auditing tab.
4. Do one of the following:
l To set up auditing for a new group or user, click Add. In the Name field, enter the name of
the user that you want to audit, and click OK.
l To view or change auditing for an existing group or user, click the group or user, and click
View/Edit.
l To remove auditing for an existing group or user, click the group or user, and click Remove.
Go to step 6.
5. If you are adding or editing a group or user, do the following:
a. In the Access list box, for each type of access that you want to audit, select Successful,
Failed, or both.
b. To prevent files and subfolders in the tree from inheriting these audit entries, select Apply
these auditing entries.
c. Click OK.
6. Click OK.
Note: If the checkboxes in the Access list box in the Auditing Entry dialog box are unavailable, or if theRemove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from
the parent folder.
4 Setting Up Windows File or Folder Auditing
Setting Up CollectionYou can set up either of two methods of collection for Windows logs:
l Set Up Agentless Collection
l Set Up Third-Party Collection Services
Note: If you cannot collect messages from a Windows Server 2003 or 2008 event source, set up the
Remote Registry Service account to run as the LocalSystem, not LocalService.
Important: You must have administrator privileges to read the event logs and retrieve the Applicationand System messages. You can get security messages without administrator privileges if you setManage
auditing and security log policy for the user.
Setting Up Collection 5
RSA enVision Event Source
RSA Event Source
Setting Up Agentless CollectionFor agentless collection of Windows messages, you have the following choices:
l The Windows Eventing Collector (requires separate installation of a new enVision collector)
l The Legacy Agentless Collector (does not require any additional downloads or configuration)
Windows Eventing CollectorBeginning with the August 2010 Event Source Update, there is a new agentless collector available, the
Windows Eventing Collector. For details, see RSA enVision Windows Eventing Collector Service
Deployment Overview Guide and the Microsoft Windows Eventing 6.0 Web Services AP Configuration
Guide and Release Notes.
PrerequisitesYou must be running RSA enVision 4.0 Service Pack 3 or newer. Additionally, ensure that you updated
the enVision platform by installing the following (available for download from SecurCare Online):
l v4.0SP3_WindowsEventing_SharedMemory.exe
l RSA_enVision_Windows_Eventing_Collector_Service.exe
l The June 2010 or later Event Source Update
Disable the Legacy CollectorIf you are using the Windows Eventing Collector, RSA recommends that you disable the legacy Windows
agentless collector. Otherwise, event collection is duplicated, and RSA enVision stores duplicate
message data in its database.
Note: If your environment contains both Windows Server 2008 and earlier Windows servers, make sure
you only disable the legacy collector for your Windows Server 2008 servers. The Windows Eventing
Collector Service cannot collect from servers earlier than Windows Server 2008.
To disable the legacy agentless Windows collector:1. On the enVision platform, click Overview> System Configuration.
2. Click Services > Device Services >Windows Service >Manage Windows Service.
3. Select the Windows Agentless Collector Service for each event source for which you are using the
Windows Eventing Collector Service.
4. Click Delete.
Enable Collection on the Hyper-V and Terminal Services Gateway ChannelsFollow these instructions only if you want to collect events from the Hyper-V or Terminal Services
(TS) Gateway channels.
6 Setting Up Agentless Collection
To collect from the Hyper-V or TS Gateway channels:1. Add or update the alias for the event source as follows:
a. Open a new command shell, and change directories to the E:\nic\enVision version\node_
name\collection-services\winevent directory.
b. Run one of the following commands:
l To add a new alias, type:
wineventconfig.exe -a
l To edit an existing alias, type:
wineventconfig.exe -e
c. Follow the prompts to provide your information. For details, see the enVision Online Help.
d. Enter the list of channels to which you want to subscribe. Use a comma as the delimiter
between channel names.
Note: You must enter the names as written in the list below. If you misspell any channel name,events from that channel are not collected.
2. To test your configuration, type:
wineventconfig.exe -t.
Channel List for Hyper-V and TS GatewayThe following channels are available for Hyper-V events:
l Channel Microsoft-Windows-Hyper-V-Config-Admin
l Channel Microsoft-Windows-Hyper-V-Config-Operational
l Channel Microsoft-Windows-Hyper-V-Hypervisor-Admin
l Channel Microsoft-Windows-Hyper-V-Hypervisor-Operational
l Channel Microsoft-Windows-Hyper-V-VMMS-Admin
l Channel Microsoft-Windows-Hyper-V-Worker-Admin
l Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Admin
l Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Operational
l Channel Microsoft-Windows-Hyper-V-SynthStor-Admin
l Channel Microsoft-Windows-Hyper-V-Integration-Admin
l Channel Microsoft-Windows-Hyper-V-SynthNic-Admin
The following channels are available for TS Gateway events:
l Channel Microsoft-Windows-TerminalServices-Gateway/Admin
l Channel Microsoft-Windows-TerminalServices-Gateway/Operational
Legacy CollectorThe NIC Windows Service retrieves Windows logs from remote systems without installing any third-
party software. This method is known as agentless Windows collection.
Setting Up Agentless Collection 7
RSA enVision Event Source
RSA Event Source
If you use agentless collection, the Remote Registry Service must be running on the remote server. This
service allows a remote station to access the event logs.
If you use a third-party collection application or an agent, you do not need to configure the NIC Windows
Service.
8 Setting Up Agentless Collection
Setting Up Third-Party Collection ServicesThe RSA enVision platform supports Windows logs collected by InterSect Alliance SNARE BackLog,
InterSect Alliance SNARE for Windows, and Adiscon EventReporter and DNS Server. You can set up
collection by any of the following:
l InterSect Alliance SNARE BackLog
l InterSect Alliance SNARE
l Adiscon EventReporter and DNS Server
Note: If you install the SNARE agent on a Windows Vista or Server 2008 system, you must use SNARE
for Windows Vista version 1.1.1.
Set Up InterSect Alliance SNARE BackLog
To set up InterSect Alliance SNARE BackLog:1. Set the Target Host to the hostname of the RSA enVision appliance collecting the events.
2. Set the Syslog Category to Syslog - Debug.
3. Set the Delimiter to Comma.
Note: If you set these incorrectly, you can run configurator.exe, located in the installationdirectory (the default installation directory is C:\Program Files\Backlog).
Set Up InterSect Alliance SNAREThe RSA enVision platform supports SNARE for Windows 4.0.0.2 and earlier, and SNARE for Windows
Vista 1.1.1.
Note: DNS server logs are not supported by SNARE for Windows Vista 1.1.1 on Windows Server 2008.
To set up InterSect Alliance SNARE:1. Set the Destination Snare Server Address to the IP address of the RSA enVision appliance
collecting the events.
2. Set the Destination Port to 514.
3. If you use SNARE for Windows 4.0.0.2 and later, ensure that the following options are selected:
Note: If you use an earlier version of SNARE for Windows, skip this step.
l Allow SNARE to automatically set audit configuration.
l Allow SNARE to automatically set file audit configuration.
4. Set the Syslog facility to Syslog.
5. Set the Syslog Priority to Debug.
Setting Up Third-Party Collection Services 9
RSA enVision Event Source
RSA Event Source
6. Ensure that Enable Syslog Header is selected.
7. Copy the SNAREdelimiter.reg file from the \etc\devices\winevent_snare directory on the
enVision appliance to the machine on which you installed SNARE.
8. To update the SNARE registry with the proper delimiter setting, right-click the
SNAREdelimiter.reg file, and selectMerge. When prompted to continue, click Yes.
9. On the Windows Start menu, click Settings > Control Panel > Administrative Tools >
Services.
10. Restart the SNARE service.
To install and set up InterSect Alliance SNARE on Windows Server 2008 Server Core:1. ClickMy Computer > Tools >Map Network Drive, and follow these steps to map a drive:
a. From the Drive drop-down list, select the drive which you want to map.
b. In the Folder field, enter the IP address of the drive to be mapped.
For example, if the IP address of the core server machine is 1.1.1.1 and the drive to be
mapped is C:, enter \\1.1.1.1\c$ in the Folder field.
c. Select Reconnect at logon.
d. Select Connect using a different user name option, and enter the logon credentials for the
Server Core machine.
2. Create a new directory on Server Core, such as C:\files.
3. Copy the SNARE installation file (downloaded from
http://www.intersectalliance.com/projects/SnareWindows/index.html#Download to the local
machine) and the .reg file (from the \etc\devices\winevent_snare directory on the enVision
appliance) to the directory that you created in step 2.
4. Follow these steps to install SNARE on the Server Core installation:
a. Open a command shell, and change directories to the directory that you created in step 2.
b. To install SNARE, type:
C:\files\SnareSetupVista-1.1.1-MultiArch.exe
Note:When installing the SNARE agent on a Server 2008 Server Core installation, you
must set the Remote Control Interface setting to YES – with password. If this option is
not selected, the SNARE agent can only be configured through the registry.
c. To update the SNARE registry with the proper delimiter setting, type:
C:\files\SNAREdelimiter.reg
When prompted to continue, click Yes.
5. To configure the settings through the Internet, connect to the interface through a web browser.
For example if the IP address of the Server Core host is 1.1.1.1, go to http://1.1.1.1:6161/
10 Setting Up Third-Party Collection Services
Note: If a firewall prevents the connection, to make a rule that allows connection to the webinterface, you can run the command:
C:\ netsh advfirewall set all profiles firewallpolicy allowinbound,allowoutbound
6. To configure the settings, follow steps 1 to 6 of the preceding SNARE setup procedure.
7. Follow these steps to restart the service:
a. To stop the service, at the command prompt, type:
C:/sc stop snare
b. To start the service, type:
C:/sc start snare
c. To verify that the SNARE service is running, type:
C:/sc query snare
Setting Up Adiscon EventReporter and DNS ServerThe RSA enVision platform supports EventReporter 8.1.
Note: By default, DNS server logging is not selected.
Note: The Default EventLog Monitor Service is compatible only with Windows Server 2008 Enterprise
Edition. The service is not compatible with Windows Server 2008 Standard Edition and is therefore not
supported by the enVision platform.
Setting Up Third-Party Collection Services 11
RSA enVision Event Source
RSA Event Source
You must complete the following tasks to set up Adiscon EventReporter and DNS Server:
I. Set up EventReporter
II. (Optional) Set up Hyper-V
III. Set up DNS server logging
Set Up Adiscon EventReporter
To set up Adiscon EventReporter:1. From the Windows Start menu, click Programs > EventReporter >
EventReporterConfiguration.
2. In the left-hand panel, double-click Configured Services, and follow these steps:
a. Click Default EventLog Monitor > Advanced Options.
b. Select Use Legacy Format.
c. Select only Add Facilitystring, Add Username, and Add Logtype.
d. Click Save.
3. Follow these steps to configure syslog forwarding:
a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog >
Actions.
b. Select Forward Syslog.
c. In the Syslog Server field, enter the IP address of the RSA enVision appliance collecting
the events.
d. Clear Add Syslog Source when forwarding to other Syslog servers.
e. Leave all other options at the default settings.
4. Restart the EventReporter service.
Set Up Hyper-VThis procedure is optional. Follow these steps only if you are configuring Hyper-V.
To configure Hyper-V:
Note: EventReporter 11.1 is required to configure Hyper-V support.
1. From the Windows Start menu, click Programs > EventReporter >
EventReporterConfiguration.
2. To create a rule set, follow these steps:
a. In the left-hand panel, right-click Rule Sets, and select Add Rule Set.
b. Name the rule set, and click Next.
c. Select Forward Syslog, and accept all other defaults to add the rule set.
12 Setting Up Third-Party Collection Services
d. Select your rule set from RuleSets, and click Forward Syslog > Actions > Forward
Syslog.
e. Accept all defaults, and complete the fields as follows:
l Syslog Server: The IP address of your RSA enVision appliance
l Message format: [%level%] %timegenerated%:
%user%/%source%/%sourceproc% (%id%) - "%msg%"
Note: If you cut and paste the message format string, ensure that the string does not contain anyline or paragraph breaks.
3. To configure a service to use the rule set, follow these steps:
a. Right-click Configured Services, and click Add Service > Event Log Monitor V2.
b. Accept all defaults, and click Next.
c. Click Finish.
d. Click the new service.
e. By default, all items are selected. Clear all items except those that start with the string
Microsoft-Windows-Hyper-V.
Note: The Hyper-V items are under New EventLog - Serviced Channels > Microsoft
> Windows.
Setting Up Third-Party Collection Services 13
RSA enVision Event Source
RSA Event Source
f. In the Rule Set to Use field, select your rule set.
g. Click Save.
4. Restart the EventReporter service.
Set Up DNS Server Logging
To set up DNS server logging:1. From the Windows Start menu, click All Programs > EventReporter > EventReporter
Configuration.
2. In the left-hand panel, double-click Configured Services, and follow these steps:
a. Click Default EventLog Monitor > Advanced Options.
b. Select Use Legacy Format.
c. Select only Add Facilitystring, Add Username, and Add Logtype.
d. Click OK.
3. Following these steps to configure syslog forwarding:
a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog >
Actions.
b. Select Forward Syslog.
c. In the Syslog Server field, enter the IP address of the RSA enVision appliance collecting
the events.
d. Clear Add Syslog Source when forwarding to other Syslog servers.
e. Leave all other options at the default settings.
4. Restart the EventReporter service.
14 Setting Up Third-Party Collection Services
Set Up the NIC File Reader ServiceImportant: You must select and enable debug logging options on the DNS server. For more information,see the Microsoft Windows 2008 DNS Server documentation located at http://technet.microsoft.com/en-
us/library/cc759581(WS.10).aspx.
To add Microsoft Windows 2008 through the NIC File Reader Service:1. Log on to the RSA enVision platform with administrative credentials.
2. Select Overview > System Configuration > Services > Device Services >Manage File Reader
Service.
3. Click Add.
4. Complete the fields as follows.
Field Action
IP address Enter the IP address of theMicrosoft Windows DNS server.
File reader type SelectWINDNS.
5. Ensure that Start File Reader Service on Apply is selected.
6. Click Apply.
7. To restart the NIC Service Manager, follow these steps:
a. On your enVision appliance, click Start > Administrative Tools > Services.
b. From the list, click NIC Service Manager.
c. Click Restart the service.
Set Up the NIC File Reader Service 15
RSA enVision Event Source
RSA Event Source
Content 2.0 Release Notes
Microsoft Windows Release Notes (20120429-082422)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
16 Content 2.0 Release Notes
Microsoft Windows Release Notes (20120328-170659)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Content 2.0 Release Notes 17
RSA enVision Event Source
RSA Event Source
Microsoft Windows Release Notes (20120305-123706)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
18 Content 2.0 Release Notes
Microsoft Windows Release Notes (20120201-163743)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Content 2.0 Release Notes 19
RSA enVision Event Source
RSA Event Source
Microsoft Windows Release Notes (20120105-082058)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Microsoft Windows Release Notes (20111205-083318)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Microsoft Windows Release Notes (20111031-165949)
What's New in This Release
RSA has added support for SNARE for Windows 4.0.0.2.
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Microsoft Windows Release Notes (20111004-165427)
What's New in This Release
When you upgrade to Content 2.0, the following report names map as follows:
Note: Although old reports are not compatible with Content 2.0, RSA has not removed the old reportnames from the GUI.
Old Report Name Content 2.0 Report Name
Computer Account Changes -Windows Server 2003 Computer Account Changes
User Group Account Changes -Windows Server 2003 User Group Account Changes
Trusted Domain Changes -Windows Server 2003 Trusted Domain Changes
User Rights Changes -Windows Server 2003 User Rights Changes
Computers Added/Removed from Domain Computer Account Added/Removed
Applications by Users -Windows Server 2003 Applications by Users
20 Content 2.0 Release Notes
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Microsoft Windows Release Notes (20110817-133744)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Content 2.0 Release Notes 21
RSA enVision Event Source
RSA Event Source
Microsoft Windows Release Notes (20110623-133824)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Microsoft Windows Release Notes (20110526-152046)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
22 Content 2.0 Release Notes
Standard Content Release Notes
Microsoft Windows Release Notes (20120201-163743)
New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Standard Content Release Notes 23
RSA enVision Event Source