Hi All,
Due to a regulatory requirement,i need to integrate some windows devices in RSA SA.Even though im new to RSA, please help and provide what all per-requisite i need to be done.RSA SA version is 10.4.
Eagerly waiting for valuable reverts.
Regards
Pranav Sankar
I assume you mean Windows Logs? Did you look at sadocs.emc.com?
ya i go through that but i could find any per-requisite for integrating windows devices in SA 10.4
Hi Pranav,
what do you mean by pre-requisite ?
you can check the link below for different windows versions that RSA Security Analytics support and the different ways for integrations
https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/03_Supported_Event_Sources#W
Hi Rachid ,
Thanks for the update.
When i check the above link it shows various types of event source that supported by RSA SA.But for "Microsoft Windows using Eventing Collection" i could see how to configure the Windows Event Sources.Whether this is the way we will integrate windows devices in RSA SA?
Rachid, pre-requisite is nothing but before integrating devices we need to follow some basic instructions like whether the devices is pinging,port listening,EV access etc.Since when i worked in Arcsight, integration with windows devices i have gone through all such pre-requisite.So kindly confirm before integrating window device in RSA SA does we require any such pre-requisite?
I hope this could clear for you. Awaiting for your revert.
Regards
Pranav Sankar
Hi Rachid ,
Waiting for your update.
Regards
Pranav
Pranav -
There are usually three major methods I see people collecting Windows Logs:
Agent based - Windows Snare/Nxlog/etc
Remote Pull - WinRM
Other - WEF with Subscription Servers
For example with Windows Snare you'd have the collectors in SA accept syslog and enable the Syslog Collection method, then enable the windows_snare parser on the upstream log decoder.
For example with WinRM, we have global GPO's deployed for all systems in specific OU's in Active Directory, these GPO's setup the WinRM listener on the servers, what methods are supported, accounts that have access, etc.
In this case example dependencies -
WEF = Windows Event Forwarding and Microsoft Subscription Servers. I don't know much about this method yet as my org is PoC testing it.
There are tons of documentation on utilizing either Snare for log forwarding or WinRM for log collection. From there SA Docs should show you how to setup Windows Log collection (WinRM) vs Windows Snare (Syslog).
Much appreciated Kevin.This clears my doubt about windows device integration pre-requisite and configuration.
Once again thank you .
Below is a course link about WinRM and other things found during my search. All good references, may not pertain to the specific version inquiry but may lead others to good resources.
https://community.rsa.com/docs/DOC-54577 WinRM configuration and T/S
Test and Troubleshoot Microsoft WinRM Guide
https://community.rsa.com/message/772329#comments
last but not least the attachment.
Pranav -
There are usually three major methods I see people collecting Windows Logs:
Agent based - Windows Snare/Nxlog/etc
Remote Pull - WinRM
Other - WEF with Subscription Servers
For example with Windows Snare you'd have the collectors in SA accept syslog and enable the Syslog Collection method, then enable the windows_snare parser on the upstream log decoder.
For example with WinRM, we have global GPO's deployed for all systems in specific OU's in Active Directory, these GPO's setup the WinRM listener on the servers, what methods are supported, accounts that have access, etc.
In this case example dependencies -
WEF = Windows Event Forwarding and Microsoft Subscription Servers. I don't know much about this method yet as my org is PoC testing it.
There are tons of documentation on utilizing either Snare for log forwarding or WinRM for log collection. From there SA Docs should show you how to setup Windows Log collection (WinRM) vs Windows Snare (Syslog).