0 WMI syslog management of Windows AD Server V 1.1.2 0 01-01-03-024 Update: 2016/5/2
Foreword This document introduces how to use WMI to manage the syslog of Windows AD Server to feed into the N-Reporter. Contents: 1.Configuration Windows AD Server... 2 1-1 Configuration Windows 2003 AD Server... 2 1-1-1 Add new WMI remote user... 2 1-1-2 Windows 2003 AD Server Audit Configuration... 5 1-1-3 Windows 2003 AD Server Firewall configuration... 6 1-2 Windows 2008 AD Server Configuration... 8 1-2-1 Add new WMI Remote login Domain User.... 8 1-2-2 Windows 2008 AD Server Audit Configuration... 12 1-3 Windows 2012 AD Server Configuration... 13 1-3-1 Add new WMI Remote login Domain User... 13 1-3-2 Windows 2012 AD Server Audit Configuration... 17 2.Deploy Windows AD Server WMI Device... 18 2-1 Add Windows AD Server WMI device... 18 2-2 Setting NTP Server... 20 1
2 1.Configuration Windows AD Server 1-1 Configuration Windows 2003 AD Server 1-1-1 Add new WMI remote user Logon Windows AD server by administrator. Click [ Start / All Programs / Administrative Tools / Active Directory Users and Computers ] Click forest root domain,it is win2k3eng.local in this example Right click [ Users ],and left click at [ New / User ] Type in the Last name "npartner".user logon name as "npartner, then click [Next]. 2
Select [Password never expires] after fill in the password. Left click [Next/Finish ]. 3
4 Left click [ Users ] Right click WMI Remote logon username npartner,left click [ Add to a group]. 4
Left click [Advance/ Find Now/Domain Admins/OK], add the WMI remote user npartner into the Group of the Domain Administrators. Left click [OK] 1-1-2 Windows 2003 AD Server Audit Configuration Please refer to Chapter 2 [Windows 2003 AD Server Audit configuration] of the document Windows AD audit to syslog to setup audit policy of the Default Domain Controller. 5
6 1-1-3 Windows 2003 AD Server Firewall configuration Left clikc[start/all Programs/Accessories/Command Prompt]. Type in gpedit.msc and open the [Group Policy Object Editor] to setup the [Local Computer Policy]. Double click at [Computer Configuration/ Administrative Templates/Network/Network Connections /Windows Firewall/Standard Profile]. Double click [Windows Firewall: Allow remote administration exception) ]. 6
Select[ Enabled].Left click[ OK ]. Remark1:Please allow the DCOM port TCP 135 on the firewall. 7
8 1-2 Windows 2008 AD Server Configuration 1-2-1 Add new WMI Remote login Domain User. Logon the Windows AD server by domain administrator. Left click [ Start/All Programs/Administrative Tools/Active Directory Users and Computers]. Left click forest root domain, the npartnerwin2k8.local in this example. Right click[users], then left click [ New/User]. 8
Type in the Last name "npartner".user logon name as "npartner. Then left click at [Next]. Select [Password never expires] after fill in the password. Left click [Next/Finish]. 9
10 Left click[users]. Right click WMC Remote User npartner with the left click [Add to a group]. 10
Left click [Advanced/ Find now/domain Admins/ok], add the WMI remote user npartner into the Group of the Domain Administrators. 11
12 Left click [OK]. 1-2-2 Windows 2008 AD Server Audit Configuration Please refer to Chapter 3 [Windows 2008 AD Server Audit configuration] of the document Windows AD audit to syslog to setup audit policy of the Default Domain Controller. Remark2:Please allow the DCOM port TCP 135 on the firewall. 12
1-3 Windows 2012 AD Server Configuration 1-3-1 Add new WMI Remote login Domain User Logon the Windows AD server by domain administrator. Left click [ Start/All Programs/Administrative Tools/Active Directory Users and Computers]. 13
14 Left click forest root domain, the NPWin2012r2cht.local in this example. Right click [Users] and left click [New/User]. Type in npartner into the field Last Name while type in npartner into the User Logon Name. After all left click at [Next]. 14
Select [Password never expires] after fill in the password. Left click [Next/Finish]. Left click[users]. Right click WMC Remote User npartner with the left click [Add to a group]. 15
16 Left click [Advanced/ Find now/domain Admins/OK], add the WMI remote user npartner into the Group of the Domain Administrators. 16
Left click [OK] 1-3-2 Windows 2012 AD Server Audit Configuration Please refer to Chapter 4[Windows 2012 AD Server Audit configuration] of the document Windows AD audit to syslog to setup audit policy of the Default Domain Controller. Remark3:Please allow the DCOM port TCP 135 on the firewall 17
18 2.Deploy Windows AD Server WMI Device 2-1 Add Windows AD Server WMI device Login the N-Reporter user portal by browser URL http://$n-reporter_ip, for example http://192.168.2.56. Type in N-Reporter Admin Name/Password, the default username and password are admin/admin. Click in [ Login ] to logon N-Reporter Web Click [Device / Syslog Device]. 18
Left click [ + ],to open the [New or Edit Syslog Device]. Select the Domain where the WMI device is belongs to. In the example, it is Root. Type in the device name and the IP address of the WMI device. Select the [Windows 2008/2012 AD(WMI)] for the data type while choose the language code "UTF8"]. Type in the remote login username and password of the WMI device and [Enable] to start receiving log from the WMI device. The last task is to choose the folder and click [OK]. Remark4:Choose [BIG5] for Windows 2003 Traditional Chinese Version. [ BIG5 ]. Choose [GB2312] for 2003 Simple Chinese Version. Choose [ UTF8] for Windows 2003 English Version. For Windows 2008/2012, please use [UTF8]. 19
20 2-2 Setting NTP Server Left click [ System / Network / System Time ] Left click [ Use NTP ].Type in NTP server IP or host name, for example "time.stdtime.gov.tw".left click[ Save Setting ].You can also type in "tw.pool.ntp.org or internal NTP server IP If type in host name,please set DNS server on Net Parameter. Remark:If WMI device and N-Reporter system time inconsistency will lead to WMI query data loss.after you add WMI device, then set the NTP Server, synchronize system time every day. 20
N-Partner: TEL: +886-4-23752865 FAX: +886-4-23757458 TAC Support: Email: support@npartnertech.com Skype:support@npartnertech.com Sales Support: Email: sales@npartnertech.com 21