Any support or planned support for NXLOG for windows collection? Lots of customer doesn't want to use Snare.
Is using winrm as a collection method an alternative?
I would have thought it was easier to set up as it can be controlled via domain policy and also scripted to be deployed in large environments.
For winrm, how to failover to another VLC automatically? Customer wanted to use nxlog(same as snare) to send as syslog format, so can use load balancer to failover.
Or what about the built in windows collection method (using WinRM) Windows Event Collection (WEC/WEF) which works as push or pull and then collect from one central windows server witn WinRM to RSA NW ?
Have you found anything out about RSA leveraging reverse DNS lookups for WEF? If users leveraged a subscription server, how are the endpoints/relay identified?
event.computer contains the true client
device.ip contains the subscription server ip address
no word on the reverse lookups function
For my experience, I prefer syslog to Winrm, u other send methods.
Well you can try whit this nxlog.conf
<Extension _syslog> Module xm_syslog</Extension>
<Input in> Module im_msvistalog</Input>
<Output out> Module om_tcp Host #IP_SIEM# Port 514 Exec to_syslog_snare(); $raw_event = replace($raw_event, "\t", ',');</Output>
<Route 1> Path in => out</Route>
Also update your win snare parse from Live.
Your language system on windows must be English (EEUU), not work for other language. If you know about win snare parser for spanish version please let me know.
Retrieving data ...