Hi All,
Due to a regulatory requirement,i need to integrate some windows devices in RSA SA.Even though im new to RSA, please help and provide what all per-requisite i need to be done.RSA SA version is 10.4.
Eagerly waiting for valuable reverts.
Regards
Pranav Sankar
Pranav -
There are usually three major methods I see people collecting Windows Logs:
Agent based - Windows Snare/Nxlog/etc
Remote Pull - WinRM
Other - WEF with Subscription Servers
For example with Windows Snare you'd have the collectors in SA accept syslog and enable the Syslog Collection method, then enable the windows_snare parser on the upstream log decoder.
For example with WinRM, we have global GPO's deployed for all systems in specific OU's in Active Directory, these GPO's setup the WinRM listener on the servers, what methods are supported, accounts that have access, etc.
In this case example dependencies -
WEF = Windows Event Forwarding and Microsoft Subscription Servers. I don't know much about this method yet as my org is PoC testing it.
There are tons of documentation on utilizing either Snare for log forwarding or WinRM for log collection. From there SA Docs should show you how to setup Windows Log collection (WinRM) vs Windows Snare (Syslog).