Lieutenant Lieutenant
Lieutenant
746 views

Can't get any events from Windows 2008 R2 (not domain)

Hi!

I have 2 arcsight servers software installation: connapp and logger. On the connapp server I have installed  "Microsoft Windows Event Log – Unified" connector to collect events from few remote win2008 r2 servers (they are not incleded in domain ).  In the connector configuration I used the local windows "Administrator" user to connect to the security logs. Local "Administrator" have privileges to read from "security" event log. When i execute "get status" of "Microsoft Windows Event Log – Unified" connector i can see that the connector can read security evets count from remout win2008r2 PC's, but connector don't send any events to logger! At the logger search i can see only events type: "

Can anybody to clarify: what the problem here?

Is it some trick when collecting events from not domain windows systems?

Labels (3)
0 Likes
6 Replies
Absent Member.
Absent Member.

When you execute the Command "Get Device Status" - what does your output look like?

Can you also get the last few hundres lines of the agent.log (also via Command) to see if the Connector maybe has problems with the privileges.

BR,

Christoph

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Please use remote win2008 r2 servers' hostname as domain name.

0 Likes
Lieutenant Lieutenant
Lieutenant

DSC_1090.JPGHi, Christoph!

When i execute "Get Device Status" i get "true'' status behind win2008 sourses.

And i attached the part of agent.log. !

0 Likes
Lieutenant Lieutenant
Lieutenant

hi, Thoman!

This interesting - i just can't to try it yet!

Can i ask you: does it really work? are you faced the similar?

0 Likes
Absent Member.
Absent Member.

Someone correct me if I am wrong here but anytime I have used the Windows Unified Connector the parameters for domain need to be filled out.  Now whether this is on the parameters that are global or you have to do the entry manually per machine on the following screen.  I am almost certain you have to have something entered for domain.

The events that you are getting are ArcSight events for the connector not Windows events.  I know I am stating the obvious there but just had to get that out there.  You will get these ArcSight system events for any connector that is installed and running if you are stopping and/or starting the connector.

I believe you need to have the machines with a domain entry in order for retrieval to work.  I am not 100% so someone please clarify but this is the only way I have ever seen the connector working.

The connector will behave much like any other connector there is a parser that is hidden on smart connectors and you can't see how or what the connector is parsing but the parser is there.  If I were a betting man there is a regex statement that looks for the domain entry and if it is not there then this is why you are not seeing cef events.

TIP: Do a search in your environment for name Is NULL.  If you see a bunch of unparsed Windows events then you know that is likely the problem.

Hope this helps!!

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Yes, it work for me, you should use administrator user account or create new account via following steps:

On the Windows Server 2008 Workgroup:

1 Go to Settings -> Control Panel -> Administrative Tools -> Computer Management -> System Tools -> Local Users and Groups -> Users.

2 Create a new Local User, such as arcsight.

3 Go to Settings -> Control Panel -> Administrative Tools -> Computer Management -> System Tools -> Local Users and Groups -> Groups.

4 Open the Event Log Readers group and add this new Local User arcsight to this group.

5 Open the Power Users group and add this new Local User arcsight to this group.

6 Go to Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> Security Settings -> Local Policies -> Security Options.

7 Open the Network access: Sharing and security model for local accounts policy.

8 Set this policy to the option: Classic – local users authenticate as themselves.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.