Log Collection Legacy Windows: References - Legacy Windows and NetApp Collection Configuration Parameters

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

The Windows Legacy/Windows or Windows Legacy/NetApp options on the Log Collector service Config View  > Event Sources tab displays the parameters that you specify to configure Windows Legacy event sources.

To access the Legacy Windows and NetApp Collection Configuration Parameters:

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. In the Actions column, select Actions menu cropped View > Config, then click the Event Sources tab.
  4. In the Event Sources tab, select one of the following options from the drop-down menu:
  • WindowsLegacy/Windows
  • WindowsLegacy/NetApp

LegWinScreens.png

Features

The Event Sources tab for Windows Legacy/Windows and Windows Legacy/NetApp has two panels: Event Categories and Sources.

Event Categories Panel

The Event Categories panel lists existing Windows Legacy event source aliases. Use this section to add or delete Windows Legacy event source aliases.

The windows domain, referred to as alias, is the configuration parameter that the Log Collector uses to group event sources. Most often, the alias defines a single domain because credentials (that is username, and password), and event log name are domain‐wide. Occasionally, you need to define multiple alias entries for the same domain if you need to customize the settings for different groups of event sources.

Toolbar

The following table provides descriptions of the toolbar options.

                   
OptionDescription
Icon-Add.pngDisplays the Add Source dialog in which you add an alias and login credentials for a new Windows Legacy domain.
Icon_Delete_sm.pngDeletes the Windows Legacy domain that you selected.
icon-edit.pngDisplays the Edit Source dialog in which you edit the alias and login credentials for a new Windows Legacy domain.

When multiple aliases are selected, opens the Bulk Edit Source dialog in which you can edit the alias and login credentials for the selected Windows Legacy domains. 

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.
ImportSourceIcon.PNGOpens the Bulk Add Option dialog in which you can import domain parameters in bulk from a comma-separated values (CSV) file. The Bulk Add Option dialog has the following two options.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.
ExportSourceIcon.PNGCreates a .csv file that contains the parameters for the domain.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.

Add Source

In this dialog, you define the name and login credentials for the domain of a new event source.

                             
FeatureDescription
Basic
Alias*The windows domain, referred to as Alias, is the configuration parameter that the Log Collector uses to group event sources. These event source type groups (for example, domain2, domain3, and domain4) categorize the event sources you have configured.
User Name *Event source username.
Password *Event source password. The password is encrypted internally and is displayed in its encrypted form.
Advanced
Use Remote Registry InitializationSelect this checkbox to use Remote Registry initialization.

Remote Registry Initialization verifies the existence of the event log and retrieves the operating system name using remote registry access rather than using Windows Management Instrumentation (WMI).

Note: If you upgrade to Security Analytics 10.5 from an earlier release, this checkbox is not checked for event sources that you set up prior to 10.5 because event sources configured prior to 10.5 use WMI.

CancelCloses the dialog without adding the Windows Legacy event source.
OKAdds the current parameter values as a new event source.

Sources Panel

 The Sources panel displays a list of existing Windows Legacy event sources. Use this section to add or delete Windows Legacy event sources (that is the windows event source address and associated communication parameters).

Toolbar

The following table provides descriptions of the toolbar options.

                   
OptionDescription
Icon-Add.pngDisplays the Add Source dialog in which you define the parameters for a source for the domain that you select in the Domain panel.
Icon_Delete_sm.pngDeletes the event source that you selected.
icon-edit.pngDisplays the Edit Source dialog in which you edit the parameters for the selected Windows Legacy event source.

When multiple event sources are selected, opens the Bulk Edit Source dialog in which you can edit the parameters values for the selected event sources. 

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.

Opens the Bulk Add Option dialog in which you can import event sources in bulk from a comma-separated values (CSV) file.  The Bulk Add Option dialog has the following two options.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.

Creates a .csv file that contains the parameters for the selected event sources.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.

Add Source Dialog

In this dialog, you define parameters for a new Windows Legacy event source.

                                                     
FeatureDescription
Basic
Name*The name of the event source. Valid value is a name in the [_a-zA-Z] [_a-zA-Z0-9]* range. You can use a dash "-" as part of the name.
Event Source Address*IP address of the event source. Valid value is an IPv4 address, IPv6 address, or a hostname including a fully qualified domain name. Security Analytics defaults to 127.0.0.1

Log Collector converts the hostname to lower-case letters to prevent duplicate entries.
Event Log NameThe name of the event log from which to collect event data (for example, System, Application, or Security).

The following are examples of some of these channels:
  • System ‐ applications that run under system service accounts (installed system services), drivers, or a component or application that has events that relate to the health of the system.
  • Application ‐ all user‐level applications. This channel is unsecured and it is open to any application. If an application has extensive information, you should define an application‐specific channel for it.
  • Security ‐ the Windows Audit Log (event log) used exclusively for the Windows Local Security Authority.
EnabledSelect this checkbox to collect from this event source. If you do not check this checkbox, the Log Collector does not collect events from this event source.
Event Directory PathNetApp .evt files directory path. This must be the UNC path.

The NetApp generates event data and saves it in .evt files in a shareable directory on the NetApp appliance.

In each polling cycle, Log Collector browses the configured NetApp shared path for the .evt files that you identified with the Event Directory Path and Event File Prefix parameters. Log Collector:
  • sorts files that match the event-file-prefix.YYMMDDhhmmss.evt format in ascending order.
  • uses the timestamp of the last file processed to determine the files that still need processing. If Log Collector finds a partially processed file, it skips the events already processed.
Event File PrefixPrefix of the .evt files (for example, adtlog.) saved in the Event Directory Path.
Advanced
Event Buffer SizeMaximum size of the data the Log Collector pulls from the event source for each  request.

Valid value is a number in 0 to 511 Kilobytes range. You specify this value in Kilobytes.
Event Too Large ResultTells Log Collector what to do if an event is too large for the event buffer.
Maximum Event DataMaximum size of event data to include in the output. Valid value is a number in 0 to 511 Kilobytes range. You specify this value in Kilobytes or Megabytes.
  • 1 Kilobyte - 100 Megabytes
  • 0 = do not include event data in the output.
Max Events Per CycleThe maximum number of events per polling cycle (how many events collected per polling cycle).
Polling IntervalInterval (amount of time in seconds) between each poll. The default value is 180.

For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.
Debug

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source. Valid values are:
  • Off = (default) disabled
  • On = enabled
  • Verbose  = enabled in verbose mode ‐ adds thread information and source context information to the messages.
This parameter is designed to debug and monitor isolated event source collection issues. If you change this value, the change takes effect immediately (no restart required). Limit the number of event sources for which you use Verbose debugging to minimize performance impact.
CancelCloses the dialog without adding the Windows Legacy event source.
OKAdds the current parameter values as a new event source
You are here: Legacy Windows and NetApp Collection Configuration Guide > References - Legacy Windows and NetApp Collection Configuration Parameters

Attachments

    Outcomes