Configure Windows Event Sources

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

This topic tells you how to configure the Windows collection protocol.

Configure a Windows Event Source

In RSA NetWitness Suite, you need to configure the Kerberos Realm, and then add the Windows Event Source type.

To configure the Kerberos Realm for Windows collection:

  1. Go to ADMIN > Services .
  2. Select a Log Collection service.
  3. Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    Event Sources tab is displayed.

  5. Select Windows/Kerberos Realm from the drop-down menu.
  6. In the Kerberos Realm Configuration panel toolbar, click to add a new realm.

    The Add Kerberos Domain dialog is displayed.

  7. Fill in the parameters, using the guidelines below.

                           
    ParameterDetails

    Kerberos Realm Name

    Enter the realm name, in all caps. For example, DSNETWORKING.COM. Note that the Mappings parameter is automatically filled with variations on the realm name.

    KDC Host Name

    Enter the name of the Domain Controller. Do not use a fully qualified name here: just the host name for the DC.

    Note: Make sure that the log collector is configured as a DNS client for the corporate DNS server. Otherwise, the Log Collector will not know how to find the Kerberos Realm.

    Admin Server

    (Optional) The name of the Kerberos Administration Server in FQDN format.

  8. Click Save to add the Kerberos domain.

To add a Windows Event Source:

  1. Go to ADMIN > Services .
  2. Select a Log Collection service.
  3. Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

  1. In the Log Collector Event Sources tab, select Windows/Config from the drop-down menu.

    The Event Categories panel displays the VMware event sources that are configured, if any.

Next, continue from the current screen to add a Windows Event Category and type.

To configure the Windows Event Type:

  1. Select Windows/Config from the drop-down menu.

  2. In the Event Categories panel toolbar, click to add a source.

    The Add Source dialog is displayed.

  3. Fill in the parameters, using the guidelines below.

                                           
    ParameterDetails

    Alias

    Enter a descriptive name.

    Authorization Method

    Choose Negotiate.

    Channel

    For most event sources that use Windows collection, you want to collect from the Security, System, and Application channels.

    User Name

    Enter the account name for the Windows user account that you set up earlier for communicating with NetWitness. Note that you need to enter the full account name, which includes the domain. For example, rsalog@DSNETWORKING.COM.

    Password

    Enter the correct password for the user account.

    Max Events Per Cycle

    (Optional). RSA recommends that you set this value to 0, which collects everything.

    Polling Interval

    (Optional). For most users, a value of 60 should work well.

  4. Click OK to add the source.

    The newly added Windows event source is displayed in the Event Categories panel.

  5. Select the new event source in the Event Categories panel.

    The Hosts panel is activated.

  6. Click in the Hosts panel toolbar.
  7. Fill in the parameters, using the guidelines below.

                               
    ParameterDetails

    Event Source Address

    Enter the IP address for the Windows host.

    Port

    Accept the default value, 5985.

    Transport Mode

    Enter http.

    Enabled

    Ensure the box is checked.

  8. Click Test Connection.

    Note: You should be able to successfully test the connection, even if the Windows service is not running.

For more information on any of the previous steps, see the following Help topics in the NetWitness Suite User Guide:

You are here
Table of Contents > Collection Protocols > Configure Windows Event Sources

Attachments

    Outcomes