Windows Event Source Configuration Parameters

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells you how to configure Windows event sources for the Log Collector.

The Windows/Config option on the Log Collector service Config View  > Event Sources tab displays the parameters that you specify to configure Windows event sources.

To access the Windows Event Source configuration parameters:

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. In the Actions column, select Actions menu cropped > View > Config.
  4. In the Event Sources tab, select Windows/Config from the drop-down menus.

WinEvSrcTb.png

Note: For data encryption during communication between Security Analytics Windows Collection and Windows event source, use Kerberos Authentication with HTTPS mode in WinRM.

Features

The Windows/Config view of the Event Sources tab has two panels: Event Categories and Hosts.

Event Categories Panel

The Event Categories panel provides a list of existing Windows event source aliases. Use this section to add or delete Windows event source aliases.

The windows domain, referred to as alias, is the configuration parameter that the Log Collector uses to group event sources. Most often, the alias defines a single domain because credentials (that is username, and password), and channels are domain‐wide. Occasionally, you need to define multiple alias entries for the same domain if you need to customize the settings for different groups of event sources.

Toolbar

The following table provides descriptions of the toolbar options.

                      
OptionDescription
Icon-Add.pngDisplays the Add Event Source dialog in which you define the parameters for a new Windows event source.
Icon_Delete_sm.pngDeletes the Windows event source aliases that you selected.
icon-edit.pngDisplays the Edit Event Source dialog in which you edit the parameters for the selected Windows event source.
When multiple event sources are selected, opens the Bulk Edit Source dialog in which you can edit the parameters values for the selected event sources. 
Refer to import, export, and edit event sources in bulk in the Log Collection Configuration Guide for detailed steps on how to use this function.
ImportSourceIcon.PNGOpens the Bulk Add Option dialog in which you can import event source host parameters in bulk from a comma-separated values (CSV) file.
Refer to import, export, and edit event sources in bulk in the Log Collection Configuration Guide for detailed steps on how to use this function.
ExportSourceIcon.PNGCreates a .csv file that contains the parameters for the selected hosts.
Refer to import, export, and edit event sources in bulk in the Log Collection Configuration Guide for detailed steps on how to use this function.
testConnection.PNGValidates the configuration parameters for the selected hosts. 
Refer to the Log Collection Configuration Guidefor detailed steps on how to test event source connections in bulk.

Add Event Source Dialog

In this dialog, you define parameters for a new Windows event source.

                                             
FeatureDescription
Basic
Alias*The windows domain, referred to as Alias, is the configuration parameter that the Log Collector uses to group event sources. These event source type groups (for example, domain2, domain3, and domain4) categorize the event sources you have configured.
Authorization Method*The authentication method. Valid values are:
  • Basic (default)
  • Negotiate - Negotiates authentication between Kerberos and NTLM (Microsoft Windows NT LAN Manager). For security reasons, Security Analytics supports Kerberos exclusively.
ChannelA comma-separated list of channels from which Security Analytics collects events. System, Application, Security is the default value for this parameter. Please refer to "Determine the Channel Name on the Windows Event Source" in Step 1. Configure Windows Event Sources in Security Analytics to find the appropriate channel names to use to define this parameter.
You can use parentheses to include and exclude event IDs.  The exclude filter must have a ^ between the channel name and the event ID. You must separate event IDs with a |.  For example,  Application^(211|300), System(1010|1012)  excludes the 211 and 300 Application events and includes the 1010 and 1012 System events.
A channel is a named stream of events that transports them from an event publisher to an event log file. There are many predefined Windows channels. The following are examples of some of these channels:
System ‐ applications that run under system service accounts (installed system services), drivers, or a component or application that has events that relate to the health of the system.
Application ‐ all user‐level applications. This channel is unsecured and it is open to any application. If an application has extensive information, you should define an application‐specific channel for it.
Security ‐ the Windows Audit Log (event log) used exclusively for the Windows Local Security Authority.
Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa385225 (v=vs.85).aspx for additional information on windows channels.
User Name *Event source username. For negotiate authentication, this must be the Kerberos principal name in the name@kerberosdomain format. For example,
logcollector@LAB30.LOCAL.
Password *Event source password. The password is encrypted internally and is displayed in its encrypted form.
Read All EventsSelect this checkbox to read all historical event data from a channel. Valid values are:
  • Checked ‐ Log Collector collects from all historical event data from a specified channel.
  • Unchecked (default) ‐ Log Collector does not collect from all historical event data for a specified channel.
Advanced
Max Duration PollThe maximum duration of polling cycle (how long the cycle lasts) in seconds.
Max Events Per CycleThe maximum number of events per polling cycle (how many events collected per polling cycle).
Polling IntervalInterval (amount of time in seconds) between each poll. The default value is 180.
For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.
Render EventsSelect this checkbox to request rendered events from the event source.
  • Checked (default) ‐ Log Collector requests rendered events from the event source.
  • Unchecked ‐ Log Collector does not request rendered events from the event source.
CancelCloses the dialog without adding the Windows event source.
OKAdds the current parameter values as a new event source.

Hosts Panel

The Hosts panel displays a list of existing Windows event source hosts. Use this section to add or delete Windows event source hosts (that is the windows event source address and associated communication parameters).

Toolbar

The following table provides descriptions of the toolbar options.

                      
OptionDescription
Icon-Add.pngDisplays the Add Host dialog in which you define the parameters for a host for the event source that you select in the Event Categories panel.
Icon_Delete_sm.pngDeletes the event source host that you selected.
icon-edit.pngDisplays the Edit Host dialog in which you edit the parameters for the selected Windows event source.
When multiple event sources are selected, opens the Bulk Edit Source dialog in which you can edit the parameters values for the selected hosts. 
Refer to import, export, and edit event sources in bulk in the Log Collection Configuration Guide for detailed steps on how to use this function.
ImportSourceIcon.PNGOpens the Bulk Add Option dialog in which you can import event sources in bulk from a comma-separated values (CSV) file.  The Bulk Add Option dialog has the following two options.

Refer to import, export, and edit event sources in bulk in the Log Collection Configuration Guide for detailed steps on how to use this function.
ExportSourceIcon.PNGCreates a .csv file that contains the parameters for the selected event sources.
Refer to import, export, and edit event sources in bulk in the Log Collection Configuration Guide for detailed steps on how to use this function.
testConnection.PNGValidates the Event Source Address for the selected hosts.

Add Host Dialog

The following table provides descriptions of the Add Host dialog features.

                                                        
ColumnDescription
Basic
Event Source Address*IP address of the event source. Valid value is an IPv4 address, IPv6 address, or a hostname including a fully qualified domain name. Log Collector converts the hostname to lower-case letters to prevent duplicate entries.
PortPort number. A valid port number is any number within the 1 through 65535 range.
  • WinRM 2.0 (Vista and later) uses ports 5985 for http and 5986 for https as the default ports.
  • WinRM 1.1 (Windows 2003) uses ports 80 for http and 443 for https as the default ports.
Transport Modetransport-mode [for example, http (default)]. Valid transport modes are:
  • http (default) ‐ non-secure connection
  • https ‐ secure connection
EnabledSelect this checkbox to collect from this event source. If you do not check this checkbox, the Log Collector does not collect events from this event source.
Certificate NameName of the certificate to use when the transport mode is https. If set, the certificate must exist in the certificate trust store. You add certificates to the trust store in the Certificates panel of the Settings tab.
Advanced
Debug

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source. Valid values are:
  • Off = (default) disabled
  • On = enabled
  • Verbose  = enabled in verbose mode ‐ adds thread information and source context information to the messages.
This parameter is designed to debug and monitor isolated event source collection issues. If you change this value, the change takes effect immediately (no restart required). Limit the number of event sources for which you use Verbose debugging to minimize performance impact.
Validate ServerSelect this check box to validate the Subject in the server certificate. The Subject of the server certificate must match the event source address.
Render LocaleSpecify the location in which the events are rendered.
If you do not specify a value, the event source uses its default locale. In most cases the default locale is en-US.  The event source ignores an unsupported locale and the subscription fails if the locale is invalid.
Windows Type

(Optional setting) Indicates whether or not the event source you configured and are collecting from is a Domain controller. Security Analytics uses this parameter to determine if it should send the information to the Identity Event Processor (IDEP) or not.

If you do not specify this parameter, all the data is sent to the IDEP.

Valid values are:

  • not set - send all data to the IDEP
  • Non-Domain Controller - the event source you configured and are collecting from is a non-domain controller.
  • Domain Controller -  the event source you configured and are collecting from is a domain controller.
Resolve SIDsResolve System Identification Codes (SIDs)
Select this check box to resolve account SIDs in relevant attributes in the collected events into the account names. This check box is selected by default.
SID Enumeration IntervalInterval in seconds at which each event source enumerates account SIDs. Valid value is in the 0 - 86400 range. 14400 is the default value.
SID Enumeration TimeoutEnter the time in seconds for SID enumeration operations. Valid value is in the 10 - 600 range. 60 is the default value.
Override ChannelsThis parameter overrides the alias's Channel parameter that you set up in the Add Source dialog for all the hosts defined for a Windows alias (event source).  If you leave the parameter blank, Security Analytics uses the alias' Channel parameter.
A comma-separated list of channels from which Security Analytics collects events. System, Application, Security is the default value for this parameter. Please refer to "Determine the Channel Name on the Windows Event Source" in Step 1. Configure Windows Event Sources in Security Analyticsto find the appropriate channel names to use to define this parameter.
You can use parentheses to include and exclude event IDs.  The exclude filter must have a ^ between the channel name and the event ID. You must separate event IDs with a |.  For example,  Application^(211|300), System(1010|1012)  excludes the 211 and 300 Application events and includes the 1010 and 1012 System events.
A channel is named stream of events that transports them from an event publisher to an event log file. There are many predefined Windows channels. The following are examples of some of these channels:
System ‐ applications that run under system service accounts (installed system services), drivers, or a component or application that has events that relate to the health of the system.
Application ‐ all user‐level applications. This channel is unsecured and it is open to any application. If an application has extensive information, you should define an application‐specific channel for it.
Security ‐ the Windows Audit Log (event log) used exclusively for the Windows Local Security Authority.
Test ConnectionValidates the connection to Event Source Address.
CancelCloses the dialog without adding the Windows event source.
OKSaves the current parameter values as a new event source.
You are here
Table of Contents > Windows Collection Configuration Guide > References - Windows Collection Configuration Parameters > Windows Event Source Configuration Parameters

Attachments

    Outcomes