Is there a doc showing how to monitor a Windows/AD system?

I see there are many different collectors available for different items in AD or WIndows.

I see there is the Agent Manager for Windows Agents, but I cannot quite nail down what Agents can collect vs what a Collector can collect?

I am at a point where I do not yet know WHAT I want to collect, since I do not know what I CAN collect  So first, what is available to collect (from what format? agent or collector) then I can pick and chose the elements i need I suppose.

Or start more simply:  How are the Agents different than Collectors, specifically in the context of Windows and Active Directory?

Tags:

  • 0  

    SAM will essentially collect anything that's in the Windows Event logs (and possibly other logs as well).  You install an agent (managed or unmanaged), configure a policy telling the agent what to collect.  The agent then sends these events on to a "Central Computer", which then forwards to Sentinel itself.

    Sentinel Collectors tend to be agentless whereas SAM is an agent based solution.  Windows doesn't have a native syslog client so SAM was the solution to that.

  • 0   in reply to   

    That is a helpful distinction.  So the SAM is mostly for Event log stuff.

    What if you want to watch file system operations?  Delete/move of files, say.  Which would be the better way?  Is there a way?

    There was a WMI collector, is that still around or is that part of the SAM do that?

  • 0   in reply to   

    Well I don't know exactly what Windows has the ability to log with respect to file system events (Perhaps just object access - success|failure), but I think filesystem audit events would be classed as Security events, so in that respect we they would be sent to Sentinel via the Security Event log, which SAM collects by default.

    SAM has default policies for System, Security, Directory Services, DNS, File Replication event logs (System and File Replication are disabled by default).  You also have the ability to create new data collection policies, so if you have an application that uses the Windows Event logging service then you can create a policy for that.  Outwith the Windows event logs, there is an option to create an application policy for a "generic single line log file".  Lastly, you have the ability to filter specific events, with alot of default filters policies already in place (See screenshot).

    Note - I think if you check the SAM Users Guide as opposed to the Admin guide, then you should get more information on what can be collected.

    The WMI Collector was part of the older WECS (Windows Event Collection Service) solution. Basically, SAM has an agent that sends events to Sentinel, whereas WECS was agentless and retreived the events.  I remember WECS being quite challenging to configure as it required you to open up RPC and WMI access to the Windows boxes (albeit secured with ACLs).  SAM by comparison has Managed (Installed and managed by SAM) and Unmanaged agent (Install it yourself).  I think also, with WECS if you wanted to collect anything other than the Windows event log then it involved mounting file systems.  Although it has been a long time sinvce I looked at it.

  • Suggested Answer

    0   in reply to   

    Hi Geoffrey,

    you can configure Windows to audit its file system: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11). That would generate events in the Windows Event Log for various activities.

    Depending on what you want to audit, Change Guardian might offer you more choices.

    Historically Sentinel offers

    - pull-based Windows event collection with the WECS connector

    - push-based Windows event collection using Agent Manager agents.

    For both, raw data is parsed by the Active Directory and Windows collector.

    Nowadays you can also use ArcSight SmartConnectors: https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors-8.4/ Those give you the ability to collect from the Vista style event logs as well and process data from WEF, PowerShell, Sysmon and other applications. SmartConnectors normalize events into the Common Event Format (CEF), and forward them to Sentinel through the Syslog Connector. The Connector then forwards the events to Universal Common Event Format Collector for parsing.