Windows Collection: Step 1. Configure Event Sources in SA

Document created by RSA Information Design and Development on Jul 23, 2016Last modified by RSA Information Design and Development on Sep 14, 2016
Version 4Show Document
  • View in full screen mode
 

This topic tells you how to configure Windows event sources for the Log Collector.

After completing this procedure, you will have:

  • Configured a Windows event source.
  • Modified a Windows event source.
  • Determined the channel name and add It to a Windows event source.

Return to Procedures

Procedures

Configure a Windows Event Source  

Add Windows Event Source

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select Windows/Config from the drop-down menu.
    The Event Categories panel is displayed with the Windows event sources that are configured, if any.

Configure Event Source (Alias)

  1. Click Icon-Add.png in the Event Categories panel toolbar.
    The Add Event Source dialog is displayed.
  2. Specify values for the parameters and click OK.
    AddWinES.PNG
    The newly added Windows event source is displayed in the Event Categories panel.

Add Event Source Host

  1. Select the new event source (alias) in the Event Categories panel.
    The Hosts panel is activated.
  2. Click Icon-Add.png in the Hosts panel toolbar.
    The Add Source dialog is displayed.
  3. Specify values for the Host parameters.
    AddWinHst.png
  4. Click Test Connection.
    The result of the test is displayed in the dialog box. If the test is unsuccessful, edit the device or service information and retry.

Note: Log Collector takes approximately 60 seconds to return the test results. If it exceeds the time limit, the test times out and the Security Analytics displays an error message.

  1. If the test is successful, click OK. The newly added host is displayed in the Hosts panel.

Modify a Windows Event Source

To modify a Windows event source:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select Windows/Config from the drop-down menu.
  5. Modify the source parameters.
    1. In the Event Categories panel, select a source and click icon-edit.png.
      The Edit Source dialog is displayed.
    2. Modify the source parameters that require changes and click OK.
      EditWinES.PNG
      Security Analytics applies the parameter changes to the selected source.
  6. Modify the event source host:
  1. In the Hosts panel, select a host and click icon-edit.png.
    The Edit Source dialog is displayed.
  2. Modify the host parameters that require changes and click OK.
    EditWinHst.png
    Security Analytics applies the parameter changes to selected host.

Determine the Channel Name and Add It to a Windows Event Source

To find an unknown channel name and add it to a Windows event source:

  1. On the Windows event source, select the channel that you want.
  2. Click Details tab and find the channel field and that is the channel name (for example, Microsoft-Windows-WinRM/Operational).
    Determine_Channel1.PNG
  3. Edit the Event Source in Security Analytics, add channel to the Channel parameter, and click OK. For example:
    DetermineChannel2.PNG
You are here: Windows Collection Configuration Guide > Procedures > Step 1. Configure Windows Event Sources in Security Analytics

Attachments

    Outcomes