000026824 - Understanding WinRM Windows log collection in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000026824
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector
IssueUnderstanding WinRM Windows log collection in RSA Security Analytics.
How do I perform WinRM Windows collection in Security Analytics?
How does log collection of WinRM Windows logs work in SA?
Resolution
  • WinRM can send data in GMT/UTC time.
  • If the event time stamp being sent by WinRM has a ?Z?, as in <TimeCreated SystemTime="2012-08-10T14:56:38.000000000Z"/> [ It can be also looked into from the event viewer -> Application/System/Security -> double-click any event-> opens a new dialog box-> go to the details tab-> select radio button ?XML? and then look for the Time Created] then the event in the system are stored in the UTC time and that is what would be sent across.
  • The UTC time zone is sometimes denoted by the letter Z ? a reference to the equivalent nautical time zone (GMT), which has been denoted by a Z since about 1950. The letter also refers to the "zone description" of zero hours, which has been used since 1920 (see time zone history). Since the NATO phonetic alphabet word for Z is "Zulu", UTC is sometimes known as Zulu time. This is especially true in aviation, where Zulu is the universal standard.[23] This ensures all pilots regardless of location are using the same 24-hour clock, thus avoiding confusion when flying between time zones.[24] See list of military time zones for letters used in addition to Z in qualifying time zones other than Greenwich.
  • WinRM does not manipulate any time either. To simplify, WinRM is an agent which reads the events stored and sends it across (without manipulation) to the SA/enVision
How the Time is determined ?
The time depends on the way an event is stored by the system or the Event Source not WinRM.

Example
An example of an event in xml format as stored in the system/Event Source as below,

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>

                <System>
                                <Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/>
                                <EventID>800</EventID>
                                <Version>0</Version>
                                <Level>4</Level>
                                <Task>43</Task>
                                <Opcode>1</Opcode>
                                <Keywords>0x4004000000000000</Keywords>
                                <TimeCreated SystemTime='2014-01-28T14:53:41.154411700Z'/>
                                <EventRecordID>34724172</EventRecordID>
                                <Correlation/>
                                <Execution ProcessID='6432' ThreadID='4992'/>
                                <Channel>Microsoft-Windows-PrintService/Operational</Channel>
                                <Computer>server1.abc.def.ghk</Computer>
                                <Security UserID='S-1-5-21-1605315502-1971273683-2142917321-8548458'/>
                </System>
                <UserData>
                                <JobDiag xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'>
                                                <JobId>19</JobId>
                                </JobDiag>
                </UserData>
                <RenderingInfo Culture='en-US'>
                <Message>Spooling job 19.</Message>
                <Level>Information</Level>
                <Task>Print job diagnostics</Task>
                <Opcode>Start</Opcode>
                <Channel>Operational</Channel>
                <Provider>Microsoft-Windows-PrintService</Provider>
                <Keywords>
                                <Keyword>WDI Diag</Keyword>
                </Keywords>
                </RenderingInfo>
</Event>

  • WinRM would pick it up and send across without changing anything. If you look closely (the line in yellow), the time has a letter ?Z? at the end , meaning GMT/UTC time. And that is what is sent across.
  • Where as in Agentless, the Time Generated is of interest and is an offset of no of ticks since 00:00:00 1st January 1970. This offset is converted into readable time. This readable time is the local time of the collector.
NotesFor 2008 Windows regardless of envision and SA, WinRM should be the preferred collection mechanism. As you can see that the rn number in the agentless is messed up. In agentless it shows ?-171558848?, which is not correct. From the SA, rn is ?4123408448?, which when converted to int results in the above value. So it may be a flaw with the api ( as MS stopped supporting the API call mechanism post 2003).
Legacy Article IDa64915

Attachments

    Outcomes