Highlighted
t.lilly1 Absent Member.
Absent Member.
839 views

Event Collector for Windows Event Forwarding - Windows OS Version

1. Windows OS version host information:

We would like to take advantage of AD for source host information of the workstations which are collected via the WEC. However, we want to be clear of the functionality of the Forwarded Event Collection Parameters.

From the SmartConnector Configuration Guide for Microsoft Windows Event Log - Unified It states on Page 22 and 23 that the OS version will default to Windows 2008 if it is not specified or is specified incorrectly for the Host information.

IF we do populate these parameters with an account that can read the domain from which the workstations originate will this ONLY provide host information or will it begin to attempt to collect logs from these hosts?According to this Protect 24/7 post it will ONLY provide host information and additional configuration of the hosts themselves (group policy, etc) would be necessary for the logs to be captured. https://protect724.arcsight.com/message/20885#20885 This is the functionality we would expect, but we want to make certain we are understanding this correctly.

2. Logs for workstations from multiple domains on 1 WEC: What is the recommendation for the connector parameters when the WEC collects logs from multiple domains? IF we are capturing host information from AD (mentioned in #1) and the AD credentials which we are using are valid in the respective domain, how can we capture host information for multiple domains? What is the recommend configuration in this advanced scenario?

Labels (1)
0 Likes
5 Replies
seniorj@bennett Absent Member.
Absent Member.

Re: Event Collector for Windows Event Forwarding - Windows OS Version

Ty,

The WUC will collect forwarded events from all event sources if they appear in the custom event sources map, defaulted in the file customeventsouce.map.csv. 

If you set up your subscription to send logs to 'HardwareEvents', and you have HardwareEvents added as a WUC log source, and the subscription exists, the WUC will pull logs on behalf of that host from the mapped event source regardless of your OS mapping or not.  The only WUC source you would need in the connector setup is the windows event collector server itself.

The mapping does work, but it requires you put in credentials in for the ldap bind.

At first, the connector won't even bother to try 2008, so when your connector starts up the first time, log into ESM and send a collector source info hosts update command.

To summarize, the only reason I found that credentials exist are to either/both a) default credentials when you add a new host in the host browser [not much luck here], or b) query AD to map the OS type to forwarded events.

0 Likes
t.lilly1 Absent Member.
Absent Member.

Re: Event Collector for Windows Event Forwarding - Windows OS Version

Thanks for your reply.

We have it working and are able to capture the OS for the source hosts now.

However, if we move the location of the HardwareEvents storage folder to a larger drive like the 😧 drive, the connector stops collecting the events.

Any ideas how to make the connector aware of the new storage location for the HardwareEvents?

0 Likes
t.lilly1 Absent Member.
Absent Member.

Re: Event Collector for Windows Event Forwarding - Windows OS Version

Thanks for your reply.

We have it working and are able to capture the OS for the source hosts now.

However, if we move the location of the HardwareEvents storage folder to a larger drive like the 😧 drive, the connector stops collecting the events.

Any ideas how to make the connector aware of the new storage location for the HardwareEvents?

0 Likes
seniorj@bennett Absent Member.
Absent Member.

Re: Event Collector for Windows Event Forwarding - Windows OS Version

I haven't tried to move my event logs, but two ideas come to mind:

Check the registry entry hklm\system\currentcontrolset\services\eventlog\hardwareevents for the 'file' variable right there - I think this location is where arcsight chooses which event sources to actually listen for.

The other one is a bit more heavy-handed but maybe more reilable - how about an NTFS symbolic link? NTFS symbolic link - Wikipedia, the free encyclopedia

0 Likes
t.lilly1 Absent Member.
Absent Member.

Re: Event Collector for Windows Event Forwarding - Windows OS Version

An NTFS symbolic link worked great.

Thanks for the idea!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.