Windows Collection: The Basics

Document created by RSA Information Design and Development on Nov 22, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 10Show Document
  • View in full screen mode

This guide tells you how to configure Windows collection protocol which collects events from Windows machines that support the Microsoft Windows model. Windows 6.0 is an event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008.

How Windows Collection Works

The Log Collector service collects events from Microsoft Windows event sources.

Deployment Scenario

The following figure illustrates how you deploy the Windows Collection Protocol in Security Analytics.



Configure Windows Collection Protocol in Security Analytics

You configure to the Log Collector to use Windows collection for an event source in the Event Source tab of the Log Collector parameter view. The following procedure explains the basic workflow for configuring an event source for Windows Collection in Security Analytics. Please refer to:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Collection service.
  3. Click Actions menu cropped > View > Config.
    The Log Collection configuration parameter tabs are displayed.
  4. Click the Event Sources tab.
  5. Select Windows as the collection protocol and select Config.
  6. Click Icon-Add.png and define a Windows alias (Add Source).
  7. Select the alias and click Icon-Add.png.
  8. Define a Windows host.
  9. Click Test Connection to validate connection with Windows event source.

Configure Event Sources to Use Windows Collection Protocol

You need to configure each event source that uses the Windows Collection protocol to communicate with Security Analytics (see Step 2. Configure Windows Event Sources to Send Events to Security Analytics ).

Next Topic:Procedures
You are here
Table of Contents > Windows Collection Configuration Guide > The Basics