Using Windows Event Forwarding with the Windows Unified Connector

Similar documents

Centralizing Windows Events with Event Forwarding

Q&A. DEMO Version

Centralized Auditing in Windows Derek Melber

June 20, Copyright 2012 by World Class CAD, LLC. All Rights Reserved.

How to Install and Setup IIS Server

Kaseya 2. User Guide. Version 7.0. English

Best practices and use cases for consistent, enterprise-wide SIEM security policy management

Configuring and Administering Windows 7

Configuring an ArcSight Smart- Connector to collect events from Kaspersky Admin Kit 8.0

Course 50322B: Configuring and Administering Windows 7

ITA Mail Archive Setup Guide

Como configurar o IIS Server para ACTi NVR Enterprise

MAPILab Reports for Hardware and Software Inventory Installation Guide. Document version 1.0

Designing a Windows Server 2008 Applications Infrastructure

Course 6437A: Designing a Windows Server 2008 Applications Infrastructure

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 11 Managing and Monitoring a Windows Server 2008 Network

Information Assurance Directorate

Sage Grant Management System Requirements

Also on the Performance tab, you will find a button labeled Resource Monitor. You can invoke Resource Monitor for additional analysis of the system.

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

This is Remote Desktop to remote into the terminal server. This is QuickBooks running inside the remote desktop window

Course 6291A: Updating Your Technology Knowledge of Microsoft Windows XP to Windows 7 Beta

5nine Virtual Firewall 2.1 for Microsoft Hyper-V

Paragon Protect & Restore

(Exam ): Configuring

TeamViewer 9 Manual ITbrain

Recommended operating systems and software for end user services. Operating systems and software not supported for end user services

OBSERVEIT DEPLOYMENT SIZING GUIDE

70-685: Enterprise Desktop Support Technician

SQL EXPRESS INSTALLATION...

How to Connect to the SPSS Server (HUSPSS) Using Remote Desktop on a PC

Windows 7, Enterprise Desktop Support Technician

This document details the procedure for installing Layer8 software agents and reporting dashboards.

Configure Backup Server for Cisco Unified Communications Manager

11.1. Performance Monitoring

introducing The BlackBerry Collaboration Service

Remote Desktop Web Access. Using Remote Desktop Web Access

Designing a Windows Server 2008 Applications Infrastructure

To learn more about this book, visit Microsoft Learning at

SQL Server 2005 Express Installation guide

RightNow November 09 Workstation Specifications

ILTA HANDS ON Securing Windows 7

Microsoft Labs Online

Publish Acrolinx Terminology Changes via RSS

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

ICT Professional Optional Programmes

Patch Manager. Overview. LabTech

Tech Notes. PC-Duo for Terminal Services

How-to configure Auditing for IDENTIKEY Authentication Server 3.2 to a remote Oracle Database on a standalone Microsoft machine.

Quick Start Guide. Version R9. English

Microsoft Labs Online

Yale Software Library

Q&A. DEMO Version

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

For Splunk Universal Forwarder and Splunk Cloud

Understand Troubleshooting Methodology

An Analysis of Propalms TSE and Microsoft Remote Desktop Services

VCL Access. VCL provides access to Linux and Windows 7 Virtual Machines. Users will only see those images that they are authorized to access.

6425C - Windows Server 2008 R2 Active Directory Domain Services

System Area Management Software Tool Tip: Integrating into NetIQ AppManager

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

SCUtils WorkItem Scheduler Guide Solution for Microsoft System Center 2012 Service Manager

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

GlobalMeet powered by SoundConnect. GlobalMeet for Lync USER GUIDE

PrivateWire Gateway Load Balancing and High Availability using Microsoft SQL Server Replication

Defender EAP Agent Installation and Configuration Guide

File System Auditor Release Notes

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

How To Install Powerpoint 6 On A Windows Server With A Powerpoint 2.5 (Powerpoint) And Powerpoint On A Microsoft Powerpoint 4.5 Powerpoint (Powerpoints) And A Powerpoints 2

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

etrust Audit Using the Recorder for Check Point FireWall-1 1.5

Request Manager Installation and Configuration Guide

Webinar Information. Title: Websense Remote Filtering Audio information: Dial-in numbers:

Receptionist-Small Business Administrator guide

Contents. VPN Instructions. VPN Instructions... 1

Desktop Authority and Group Policy Preferences

LICENSE SERVER MANAGER

Alarms. Understanding Alarms CHAPTER

User Installation Guide

Harden SSL/TLS v1.01. Windows hardening tool. Thierry ZOLLER.

Extending FactoryTalk View Site Edition with Microsoft's Remote Desktop Services

Determining Your Computer Resources

MAPILab Reports Installation Guide. Document version 3.02

Microsoft Visual Basic Scripting Edition and Microsoft Windows Script Host Essentials

Integrating LANGuardian with Active Directory

Generate Reports About User Actions on Windows Servers

SAS 9.3 Foundation for Microsoft Windows

GIGATRAK CLIENT INSTALL HANDHELD TERMINAL

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Cloud Services ADM. Agent Deployment Guide

How To Install Vembu Onlinebackup On Windows (Windows) (Windows 7) (For Windows) (Powerbook) (Winstone) (Vembu) (Program) (Procedure) (

Overview of Active Directory Rights Management Services with Windows Server 2008 R2

Advanced Event Viewer Manual

6 Oracle Business Activity Monitoring

Getting Started with VMware Horizon View (Remote Desktop Access)

Information Assurance Directorate

Managing Enterprise Devices and Apps using System Center Configuration Manager

EVENT LOG MANAGEMENT...

Transcription:

Using Windows Event Forwarding with the Windows Unified Connector Steve Maxwell, Solutions Architect #HPProtect

Agenda What is Windows Event Forwarding? How does HP ArcSight work with Windows Event Forwarding? Benefits Tips & tricks 3

What is Windows Event Forwarding?

What is Windows Event Forwarding? Centralized Windows event collection Collect events from Windows systems and store them centrally Introduced in Windows Server 2008 and Windows Vista Built-in support in Windows Server 2008+ and Windows Vista+ Add-on support in Windows Server 2003 and Windows XP Uses Windows Remote Management 1.1 or later Microsoft implementation of the WS-Management protocol 5

Microsoft terminology Event Collector Where events from Sources are centrally forwarded to and stored Event Source Where events are generated 6

Platforms Event Collector Windows Server 2008/2012 Microsoft Recommended Platforms Windows 7/8 Windows Vista 7

Platforms Event Source Windows Server 2008/2012 Windows 7/8 Windows Vista Windows Server 2003 SP1+ Windows XP SP2+ 8

Subscription What events do I want to collect? What systems do I want to collect from? What event log do I want to forward the collected events to? Collector or Source initiated? Advanced Subscription Settings 9

Collector initiated 10

Source initiated 11

12

13

14

How does HP ArcSight work with Windows Event Forwarding?

Acronyms used in this presentation Windows Unified Connector WUC Windows Event Forwarding WEF 16

SmartConnector Support for WEF added to the WUC SmartConnector 6.0.6.6865 released on September 30, 2013 Microsoft Windows Event Log Unified Forwarded Events Collection Disabled Enabled (use AD for sources) Enabled (do not use AD for sources) Custom Log Names HardwareEvents is Supported ForwardedEvents is not Supported (subscription default) 17

WEF Log Forwarding options WEF has a lot of granularity on where to forward Source logs to on the Collector For example Sources/Application Logs Collector/Application Log Sources/System Logs Collector/System Log Sources/Application Logs Collector/System Log Sources/System Logs Collector/Application Log Sources/Security Logs Collector/HardwareEvents Log Sources/ Applications and Services Logs Collector/System/Application/HardwareEvents Log 18

WEF Log Forwarding best practices Security logs Sources/Security Logs Collector/HardwareEvents Log Source Security logs cannot be forwarded to the Collector Security log Application logs Sources/Application Logs Collector/Application Log System logs Sources/System Logs Collector/System Log 19

20

21

22

23

Windows OS Version WEF events can be from different Windows versions than the WEF Collector For example: Collector is Windows Server 2008; Sources are Windows XP, Windows Server 2003 SmartConnector needs to know what OS in order to parse the events properly It assumes Windows 2008 R2 by default Sources Active Directory Enabled (use AD for sources) sourcehosts.csv Enabled (do not use AD for sources) 24

Benefits

Windows Event Forwarding Integrated and Free Secure and Reliable Filtering Multi-Tier Group Policy Laptops/Desktops Source Initiated Subscription 26

SmartConnector Filtering Aggregation Caching Batching Bandwidth Throttling Time Correction Platforms Windows Linux/Unix Connector Appliance/ArcMC 27

Use both! The best of both worlds! Use both where/when appropriate 28

Tips & tricks

Tips & tricks Lab Environment Use a single virtual machine or physical server and forward the event logs locally Nested Event Logs All logs under Applications and Services Logs in the Windows Event Viewer AppLocker, Windows Defender, etc. We cannot collect these logs These are not supported by the WUC Use WEF to forward these to the Application, System, or HardwareEvents log These are supported by the WUC EVENTCREATE EVENTCREATE /T ERROR /ID 1000 /L APPLICATION /D "My custom error event for the application log EVENTCREATE /T ERROR /ID 1000 /L SYSTEM /D "My custom error event for the system log" 30

Please give me your feedback Session TB3044 Speaker Steve Maxwell Use the mobile app 1. Click on Sessions 2. Click on this session 3. Click on Rate Session Or use the hard copy surveys Thank you for providing your feedback, which helps us enhance content for future events. 31

Thank you