Hello All,
Do we have any kind of setting in WinRM service to run and send the logs on DEBUG, INFORMATION, CRITICAL, ALL.
So if we want only the logs which are CRITICAL in Windows machine and the machine is configured through WinRM with Security Analytics.
Then how we will be able to recieve those logs in SA.
Any setting in WinRM that we can change or set according to our requirement.
Kindly suggest someone on this, I am waiting for your response.
Thanks to all.
Hello Patrick,
Is their any way on the windows that we can do it.
Or any way which can be possible if we only want to collect specific types of logs by WinRM Service
Kindly suggest.
I'm pretty sure it isn't possible using WinRM. If you did however want to use a third party agent (such as SNARE) then I believe this allows you to filter what is forwarded to SA/ any other SIEM.
Obviously this introduces additional challenges around installing an agent
You can get a trial licence - have a play with that and let me know how you get on.
Our main challenge is to do this without any third party agent.
Because in future if the agent crash down then this will again create a problem for us.
And the most important thing this that why I want this service because in my windows machine I have enabled that if any file or folder created in the machine, the log is created and also i can check the same related logs in the event viewer, but if i tries to find and view the log in SA. I am not able to find the log related to this.
Then how I can check in the SA,that if any file or folder created on the windows machine, i can get a list of the logs which is been created or the modifications has been done.
Hope you can understand this, that what I am trying to explain to you.
Thank you.
Hi,
I see one way of doing it - just leave events that you need in parser and delete all the other. It's ugly, but you will get only events that you need - others will go to other event source of type "unknown" and the same ip. You can clean this "unknown un-needed info" afterwards.
Also there could be a way of doing it through registry or through user rights, but I cannot find it, maybe it's not that granular.
Would be smarter to just make an app rule to delete the logs as they come in by message ID. Deleting the parsers might cause issues in the long run if they want them turned back on.
Thanks for advice, totally forgot that app rules can not only alert but manage data processing
It's a windows limitation that you cannot granularly select which types of events you want to receive.
Hope this helps.