Can't get any events from Windows 2008 R2 (not domain)
I have 2 arcsight servers software installation: connapp and logger. On the connapp server I have installed "Microsoft Windows Event Log – Unified" connector to collect events from few remote win2008 r2 servers (they are not incleded in domain ). In the connector configuration I used the local windows "Administrator" user to connect to the security logs. Local "Administrator" have privileges to read from "security" event log. When i execute "get status" of "Microsoft Windows Event Log – Unified" connector i can see that the connector can read security evets count from remout win2008r2 PC's, but connector don't send any events to logger! At the logger search i can see only events type: "
Can anybody to clarify: what the problem here?
Is it some trick when collecting events from not domain windows systems?
When you execute the Command "Get Device Status" - what does your output look like?
Can you also get the last few hundres lines of the agent.log (also via Command) to see if the Connector maybe has problems with the privileges.
Someone correct me if I am wrong here but anytime I have used the Windows Unified Connector the parameters for domain need to be filled out. Now whether this is on the parameters that are global or you have to do the entry manually per machine on the following screen. I am almost certain you have to have something entered for domain.
The events that you are getting are ArcSight events for the connector not Windows events. I know I am stating the obvious there but just had to get that out there. You will get these ArcSight system events for any connector that is installed and running if you are stopping and/or starting the connector.
I believe you need to have the machines with a domain entry in order for retrieval to work. I am not 100% so someone please clarify but this is the only way I have ever seen the connector working.
The connector will behave much like any other connector there is a parser that is hidden on smart connectors and you can't see how or what the connector is parsing but the parser is there. If I were a betting man there is a regex statement that looks for the domain entry and if it is not there then this is why you are not seeing cef events.
TIP: Do a search in your environment for name Is NULL. If you see a bunch of unparsed Windows events then you know that is likely the problem.
Hope this helps!!
Yes, it work for me, you should use administrator user account or create new account via following steps:
On the Windows Server 2008 Workgroup:
1 Go to Settings -> Control Panel -> Administrative Tools -> Computer Management -> System Tools -> Local Users and Groups -> Users.
2 Create a new Local User, such as arcsight.
3 Go to Settings -> Control Panel -> Administrative Tools -> Computer Management -> System Tools -> Local Users and Groups -> Groups.
4 Open the Event Log Readers group and add this new Local User arcsight to this group.
5 Open the Power Users group and add this new Local User arcsight to this group.
6 Go to Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> Security Settings -> Local Policies -> Security Options.
7 Open the Network access: Sharing and security model for local accounts policy.
8 Set this policy to the option: Classic – local users authenticate as themselves.