Log Collection: Configure Windows Event Sources

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 12Show Document
  • View in full screen mode
 

This topic tells you how to configure the Windows collection protocol.

In RSA NetWitness Platform, you need to configure the Kerberos Realm, and then add the Windows Event Source type.

To configure the Kerberos Realm for Windows collection:

  1. Go to ADMIN > Services.
  2. Select a Log Collection service.
  3. Under Actions, select actions menu > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    Event Sources tab is displayed.

  5. Select Windows/Kerberos Realm from the drop-down menu.
  6. In the Kerberos Realm Configuration panel toolbar, click add icon to add a new realm.

    The Add Kerberos Domain dialog is displayed.

  7. Fill in the parameters, using the guidelines below.

                               
    ParameterDetails

    Kerberos Realm Name

    Enter the realm name, in all caps. For example, DSNETWORKING.COM. Note that the Mappings parameter is automatically filled with variations on the realm name.

    KDC Host Name

    Enter the name of the Domain Controller. Do not use a fully qualified name here: just the host name for the DC.

    Note: Make sure that the log collector is configured as a DNS client for the corporate DNS server. Otherwise, the Log Collector will not know how to find the Kerberos Realm.

    Admin Server

    (Optional) The name of the Kerberos Administration Server in FQDN format.

    Mappings

    This parameter is automatically filled after you enter the realm name.

  8. Click Save to add the Kerberos domain.

To add a Windows Event Source:

  1. Go to ADMIN > Services.
  2. Select a Log Collection service.
  3. Under Actions, select actions menu > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

  1. In the Log Collector Event Sources tab, select Windows/Config from the drop-down menu.

    The Event Categories panel displays the VMware event sources that are configured, if any.

Next, continue from the current screen to add a Windows Event Category and type.

To configure the Windows Event Type:

  1. Select Windows/Config from the drop-down menu.

  2. In the Event Categories panel toolbar, click add icon to add a source.

    The Add Source dialog is displayed.

  3. Fill in the parameters, using the guidelines below.

                                           
    ParameterDetails

    Alias

    Enter a descriptive name.

    Authorization Method

    Choose Negotiate.

    Channel

    For most event sources that use Windows collection, you want to collect from the Security, System, and Application channels.

    User Name

    Enter the account name for the Windows user account that you set up earlier for communicating with NetWitness. Note that you need to enter the full account name, which includes the domain. For example, rsalog@DSNETWORKING.COM.

    Password

    Enter the correct password for the user account.

    Max Events Per Cycle

    (Optional). RSA recommends that you set this value to 0, which collects everything.

    Polling Interval

    (Optional). For most users, a value of 60 should work well.

  4. Click OK to add the source.

    The newly added Windows event source is displayed in the Event Categories panel.

  5. Select the new event source in the Event Categories panel.

    The Hosts panel is activated.

  6. Click add icon in the Hosts panel toolbar.
  7. Fill in the parameters, using the guidelines below.

                               
    ParameterDetails

    Event Source Address

    Enter the IP address for the Windows host.

    Port

    Accept the default value, 5985.

    Transport Mode

    Enter http.

    Enabled

    Ensure the box is checked.

  8. Click Test Connection.

    Note: You should be able to successfully test the connection, even if the Windows service is not running.

For more information on any of the previous steps, see the following Help topics in the NetWitness Platform User Guide:

You are here
Table of Contents > Collection Protocols > Log Collection: Configure Windows Event Sources

Attachments

    Outcomes