Log Collection Windows: Step 1: Configure Windows Event Sources in Security Analytics

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

After completing this procedure, you will have:

  • Configured a Windows event source.
  • Modified a Windows event source.
  • Determined the channel name and add It to a Windows event source.

Return to Procedures

Configure a Windows Event Source  

Add Windows Event Source

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select Windows/Config from the drop-down menu.
    The Event Categories panel is displayed with the Windows event sources that are configured, if any.

Configure Event Source (Alias)

  1. Click Icon-Add.png in the Event Categories panel toolbar.
    The Add Event Source dialog is displayed.
  2. Specify values for the parameters and click OK.
    AddWinES.PNG
    The newly added Windows event source is displayed in the Event Categories panel.

Add Event Source Host

  1. Select the new event source (alias) in the Event Categories panel.
    The Hosts panel is activated.
  2. Click Icon-Add.png in the Hosts panel toolbar.
    The Add Source dialog is displayed.
  3. Specify values for the Host parameters.
    AddWinHst.png
  4. Click Test Connection.
    The result of the test is displayed in the dialog box. If the test is unsuccessful, edit the device or service information and retry.

Note: Log Collector takes approximately 60 seconds to return the test results. If it exceeds the time limit, the test times out and the Security Analytics displays an error message.

  1. If the test is successful, click OK. The newly added host is displayed in the Hosts panel.

Modify a Windows Event Source

To modify a Windows event source:

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNG under Actions and select View > Config.
  4. In the Event Sources tab, select Windows/Config from the drop-down menu.
  5. Modify the source parameters.
    1. In the Event Categories panel, select a source and click icon-edit.png.
      The Edit Source dialog is displayed.
    2. Modify the source parameters that require changes and click OK.
      EditWinES.PNG
      Security Analytics applies the parameter changes to selected source.
  6. Modify the event source host:
  1. In the Hosts panel, select a host and click icon-edit.png.
    The Edit Source dialog is displayed.
  2. Modify the host parameters that require changes and click OK.
    EditWinHst.png
    Security Analytics applies the parameter changes to selected host.

Determine the Channel Name and Add It to a Windows Event Source

To find an unknown channel name and add it to a Windows event source:

  1. On the Windows event source, select the channel that you want.
  2. Click Details tab and find the channel field and that is the channel name (for example, Microsoft-Windows-WinRM/Operational).
    Determine_Channel1.PNG
  3. Edit the Event Source in Security Analytics, add channel to the Channel parameter, and click OK. For example:
    DetermineChannel2.PNG

Parameters

Windows Event Source Configuration Parameters

Windows Kerberos Configuration Parameters

You are here: Windows Collection Configuration Guide > Procedures > Log Collection Windows: Step 1: Configure Windows Event Sources in Security Analytics

Attachments

    Outcomes