Highlighted
Trusted Contributor.
Trusted Contributor.
497 views

Event collection from Windows hosts

Jump to solution

Hello Guys!

I've got a few questions about connectors for windows, i'd really appreciate some help about them 'cause i've got a bit lost.

Firstly, what's the difference between the 3 connectors:

Windows Event Log: it uses WSMan and ports 5985, 5986, linux install only

Windows Event Log - Native: RPC, port 135 and some high ports, windows install only

Windows Event Log - Unified: smbv1, port 445, linux/windows install

Unified would be a good option, if it wasn't only for smbv1 (seems a bit unsecure).

At first sight the configuration of Native is a pain. Then the simple "win event log" which would also be a good call, but let's say we are unable to get a linux connector-host.

 

Are there any major differences in the methods they use, any future plans for smbv2+ supports on unified. I saw some differences in ipv4 and ipv6 support but right now thats irrelevant. Whats the best way of collecting those darn events from a windows server (pref. 2k16)?

 

Regards, Thomas

0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Thomas69,

I will give a very clear and simple answer.

I would recommend you to forget the WUC (Unified), it is a very old ArcSight Technology that has been a lot improved with WiNC (Native). The WiNC is more powerful, easier to configure and to manage, it permits to collect more Windows Logs type and it is completely integrated with Windows as it used the Windows API. IPV6 is supported and believe-me, it works very well, stable and efficient.

The main difference is the fact that WUC works has PULL and WiNC works has PUSH mode (only one inbound connection for binding a RPC port) => no latency, higher EPS, easier to fine-tune.

The last one is only if you use WEC + Certificate which is mandatory if the WEC are located in a different domain than the source hosts like by example in Tier 0 where you cannot accept inbound connections by the Security Access Policy. In this case your WEC will be outside Tier 0, probably in a different domain thus the communication between the hosts (Tier 0) and the WEC is only supported by Certificate (HTTPS) confirmed by Microsoft - Not easy to configure and to manage.
WEC is a Microsoft Technology to forward events to a remote location WEF/WEC means Windows Event Forwarder - Windows Event Collector ( 2 modes for Subscriptions: source/destination initiated)

If you have to collect Windows logs from few hosts, I recommend to use the WiNC directly but if you have to collect Windows Logs, you need to use WECs and then the WiNC will collected the logs form the Forwarded Events Category where the logs are located in your WECs.

Personally, I am using this setup for Workstation Logs Collection (50000) thus I have setup 11 WECs (to be increase to 21) and 3 WiNC SmartConnectors.

To conclude, I would say that the WiNC SmartConnectors are one of the best ArcSight Connectors, without WEC to collect AD logs, we get them in less than 2 sec of delay and for Workstations we are able to collect Security Events, Sysmon and Powershell logs for 50000 hosts without any caching issues or lost of logs.

If you have any question about the sizing or the configuration or anything else, do not hesitate to contact me. 

Thanks
Kind Regards

Michael

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

View solution in original post

3 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Thomas69,

I will give a very clear and simple answer.

I would recommend you to forget the WUC (Unified), it is a very old ArcSight Technology that has been a lot improved with WiNC (Native). The WiNC is more powerful, easier to configure and to manage, it permits to collect more Windows Logs type and it is completely integrated with Windows as it used the Windows API. IPV6 is supported and believe-me, it works very well, stable and efficient.

The main difference is the fact that WUC works has PULL and WiNC works has PUSH mode (only one inbound connection for binding a RPC port) => no latency, higher EPS, easier to fine-tune.

The last one is only if you use WEC + Certificate which is mandatory if the WEC are located in a different domain than the source hosts like by example in Tier 0 where you cannot accept inbound connections by the Security Access Policy. In this case your WEC will be outside Tier 0, probably in a different domain thus the communication between the hosts (Tier 0) and the WEC is only supported by Certificate (HTTPS) confirmed by Microsoft - Not easy to configure and to manage.
WEC is a Microsoft Technology to forward events to a remote location WEF/WEC means Windows Event Forwarder - Windows Event Collector ( 2 modes for Subscriptions: source/destination initiated)

If you have to collect Windows logs from few hosts, I recommend to use the WiNC directly but if you have to collect Windows Logs, you need to use WECs and then the WiNC will collected the logs form the Forwarded Events Category where the logs are located in your WECs.

Personally, I am using this setup for Workstation Logs Collection (50000) thus I have setup 11 WECs (to be increase to 21) and 3 WiNC SmartConnectors.

To conclude, I would say that the WiNC SmartConnectors are one of the best ArcSight Connectors, without WEC to collect AD logs, we get them in less than 2 sec of delay and for Workstations we are able to collect Security Events, Sysmon and Powershell logs for 50000 hosts without any caching issues or lost of logs.

If you have any question about the sizing or the configuration or anything else, do not hesitate to contact me. 

Thanks
Kind Regards

Michael

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

View solution in original post

Highlighted
Trusted Contributor.
Trusted Contributor.

Thank You for the explanation, made a lot things clear 😎

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Please review this, WiNC is your option going forward: SmartConnector Recommendations for Windows Event Log Collection 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.