How we can integrate an windows system with RSA Security Analytics agentless.
Do we need to run the "winrm" command on windows system?
Thanks in advance.
How we can integrate an windows system with RSA Security Analytics agentless.
Do we need to run the "winrm" command on windows system?
Thanks in advance.
Microsoft Windows Eventing Collection
Is this guide will help to achieve the windows logs by agentless method?
Kindly confirm.
Hi deepnashu,
for http collection just follow those steps:
..:: Windows side::..
1) Create user which will be used to access eventlog
2) RUN "winrm configsddl wmi"
(in 2008 R2+ without "wmi")
3) add user and set "Read" permission for him
4) RUN "wmimgmt"
WMI Control -> Properties -> Security -> CIMV2 -> Security
add user -> check "Enable Account", "Remote Enable"
5) RUN "winrm quickconfig"
6) RUN "winrm set winrm/config/service/auth @{Basic="true"}"
7) RUN "winrm set winrm/config/service @{AllowUnencrypted="true"}"
8) RUN "wevtutil gl security"
- > Copy SDDL string and add "(A;;0x1;;;S-1-5-20)" to the end of that.
9) RUN "wevtutil sl security /ca:YOUR_SSDL(A;;0x1;;;S-1-5-20)"
example: wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
Optionaly
RUN "winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS_OF_SA"}"
RUN "netsh firewall add portopening TCP 5985 "WinRM-Port 5985""
..:: SA ::..
1) Devices -> Collector -> Explore -> logcollection -> windows -> eventsources right click -> Properties -> Add
alias=NAME username=WIN_USER password=PASS read_all_events=true
2) Devices -> Collector -> Explore -> logcollection -> windows -> eventsources -> ALIAS right click -> Properties -> Add
eventsource_address=IP_OF_WIN port_number=5985 transport_mode=http
Thanks for sharing this alot.
Are the steps same for integration with Windows Server 2003 for agentless, as we have the Windows Server 2003 also for the integration with SA.
Kindly confirm this also, and if yes then please share all the steps for the same.
Legacy Windows is different. You need to install the legacy collector executable on a domain Windows machine (or VM). As part of the installation you input the domain credentials. When the legacy collector is installed you can add this device within managed monitored devices in the SA UI and also connect via rest API to the device.
Once that is done you need to add the event sources which should be self explanatory. All configuration steps for the 2k3 devices again can be obtained within SCOL. Collection is by WMI using NetBIOS (port 139 and 445 off the top of my head).
Hope this helps.
Thanks for clarifying this! I found no docs of legacy collector description - only how to install it
What do I need to set it up properly?
1) Installed it on 2008 R2 system, added to SA
2) Added local collector and event source (windows 2003) in SA
3) Changed lockbox password
4) Deployed "Windows Events (NIC)" log device content on it
5) Restarted the service (btw it doesn't come up automatically should do this manually via services in win)
Nevertheless service in a device view shows in sa as:
Appliance Service Information ( Device not available)
Logs give me:
An error occurred creating an AMQP channel: : connection closed unexpectedly
Unable to start AMQP Log Receiver: : connection closed unexpectedly
What else should I do for service to come up? Have anyone has encountered such issues?
Device not available is ok because no appliance service on the legacy log collector。
Did you open the firewall for port 5671?
Thanks.
Just thought I would share this.. We had issues with WINRM and a PS guy gave me this script to run instead of typing it manually.
thanks for sharing the script
No problem
Hi!
It's a script from SCOL (hidden in envision event sources) - I don't know why it is not mentioned in sa docs, doing that by hand is painful.
I'll attach the same script in vbs from SCOL. It setups winRM for http/https automatically.
There is also a script for 2003 that automates log reading privilege setup for non-admin user. Ping me if anyone needs it.
Tested all of that with Envision, in SA only 2008 collection through local user basic auth works for me right now.
Regarding Legacy collector (WMI - 2003)
Still fighting the same errors with AMQP channel, port 5671 is open on legacy collector and local collector.
Regarding Decoder win collector (WinRM - 2008)
Collection service supports NTLM (basic) auth for local accounts but only Kerberos for Domain accounts.
(this is new in 10.3 I guess) Does anyone know how to use basic auth with domain accounts because it is enabled in domain? (Will try to setup Kerberos, but this will take time)
Sample error:
Unable to subscribe for events with Windows event source 1.1.1.1: 401/Unauthorized.
Possible causes:
- Event source using basic authentication with Domain account (user@DOMAIN.LOCAL). Domain accounts do not work with basic authentication.
Hi N1k for h sharing this useful information, but kindly also share the script for Windows 2003 aswell.
And we had overcome with the problem of Windows Server 2003 log collection.and it's been working fine now.
Regards,
Deepanshu.
Hi,
How have you solved the 2003 collection? You had the same errors? Please describe your steps. (my steps are in post 6)
The user that was specified during legacy collector install is local admin on event sources?
Regarding 2003 non-admin user. The script is in the attachment.
1. Create a user
2. Modify a script (line 14: compname = "" and end of line 16: User Name='' ) and launch it under admin.
3. What it does is described here - How to set event log security locally or by using Group Policy in Windows Server 2003
Thank rsa for that script
Hi n1k for sharing the script, yes we successfully integrated our Windows Server 2003 by agentless method by installing the windows legacy software.
To integrate your windows server 2003, you need to install the windows legacy collector .exe file on your any Windows Server 2008 machine, which should be in the network, and also the user you created for event source integration must be login by windows server 2003 machine and also by windows server 2008 machine as well, and also need to be in same AD.
When you are going to install the legacy collector, it asks you for the username and password, in that you need to add the username with the password you created for your windows logs collection.
If you require an steps for the installation of Windows Legacy collection, i have an guide.
Rgrds,
Deepanshu Sood.
Well, I managed to conquer 2003 legacy collection. Maybe my practice would be of any help (because legacy collector has 1 poor doc):
1. Install and run it under the same domain user which has log read privilege and is a local admin on 2008 machine where it is being installed
2. Set timezone to the same as on log collector (UTC)
3. Open ports and disable some antivirus/hips features (mine was not blocking the port or response but the service after it responded - so in telnet it was ok)
4.Connect to SA, deploy live content to it: Windows Events (NIC) Log Collector Configuration
Are your problems solved while implementing Windows legacy Device ?
Let me know if i can be of any help.
Thanks Mudit for asking, but it's been resolved now and working fine now.
Have a good day.
Regards,
Deepanshu Sood.
Have anybody some idea for using legacy collector in non-domain enviroment?
deepanshu- don't forget to mark your question as Answered please
10.3.x does not support non-domain environments.
Well, I used the 2008 collector with local user authenticating on local machine not domain - and collected logs just ok (but it was part of a domain, I think if it wasn't - winrm wouldn't work at all, but 2003 is using wmi)
David,
I think, like other windows collection in envision/sa, you can use the local account for the service (I use it like that with envision and it works). But that would require a 2008 machine for every non-domain 2003 server which would be ugly. The legacy collector needs to be more flexible - to be able to connect to multiple domains and non-domain from a single 2008 host. Just dreamin'
Don't worry guys. Its going to be a reality.
Guys,
I set up a kerberos realm (in web gui) then used it in 2008 event source. Mind that it should be used in uppecrcase when specified in username username@KERBEROSREALM and you should use FQDN not IP for event source. Here's some useful links (10.3 and 10.2SP2 config is the same):
Configure Kerberos Authentication - RSA Security Analytics Documentation
Windows Kerberos Configuration Parameters - RSA Security Analytics Documentation
So I managed 2008 collection with local (ntlm) and domain (kerberos) accounts.
Now back to 2003 legacy collector
PS. Didn't manage to keep up with the changes. First there was no kerberos, then kerberos was setup via ssh, now it is forced to use and is setup through web gui
yah, like the warehouse, more gui now.
How receive events from all standard logs (Application, System, Security)? I receive only Security log. Tried change Channels, but this not help me. Options Read All Events activated.
I would recommend taking a look on RSA SecurCare Online. There are device configuration guides on there for customers:
https://knowledge.rsasecurity.com/scolcms/set.aspx?id=9838