Windows Legacy Collection: Configure Remote Registry Access

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on May 4, 2017
Version 4Show Document
  • View in full screen mode
  

This topic describes the procedure to enable Remote Registry Access method for collecting data from event sources.

Return to Procedures

Windows Legacy Collector performs an initial verification of the event source before collecting data. By default, Windows Legacy Collector uses Windows Management Instrumentation (WMI) method to perform this initial verification. If you enable Remote registry access method, Windows Legacy Collector performs a remote registry query to verify the event source.

Note:  Customers who have upgraded from RSA enVision can select the Remote Registry Access method so as to use the existing domain collection user without having to enable WMI permission.

Procedure

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Windows Legacy Log Collector service.
  3. In the toolbar, select View > Config > Event Sources.
  4. In the Event Sources tab, select Windows Legacy/Windows from the drop-down menu.
  5. Configure the alias:
    1. Click Icon-Add.png in the Event Categories panel toolbar.
      The Add Source dialog is displayed.
    2. Make sure that the Use Remote Registry Initialization checkbox is checked (it is checked by default) and click OK.

Result

Remote Registry Access method is enabled.

You are here
Table of Contents > Windows Legacy and NetApp Collection Configuration Guide > Procedures > Step 2. Configure Windows Legacy and NetApp Event Sources in Security Analytics > Windows Legacy Collection: Configure Remote Registry Access

Attachments

    Outcomes