UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
michael_hoang
Captain
Captain
‎2017-12-16 05:48
394 views

SmartConnector for Windows Event Viewer cannot capture Workstation Name

Jump to solution

Dear all,

 

I am using SmartConnector 7.7.0 to capture Windows Event Viewer from Windows Server 2012R2.

For Event ID 4625 (RPD Logon Failed), We cannot see the Source Network/Hostname in SIEM.

From the Event viewer, this information is captured as Workstation Name. Why does not this information send to ESM?

Capture.JPG

 

 

Due to this limitation, we do not know exactly which computer tries logging to monitored server.

Is there anyway that we can see these information in SIEM?

 

Regards,

Anh

0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
Marijo Mandic
Fleet Admiral
Fleet Admiral
‎2017-12-18 11:51

Jump to solution

Hello,

you are welcome.

Please try following procedure and let me know if you can see this information by using this method ?
https://community.softwaregrp.com/t5/Share-Documentation/How-to-Map-Additional-Data-from-Windows-Events-pdf/ta-p/1585389

Regards,

Marijo

View solution in original post

Reply
Report Inappropriate Content
3 Replies
Marijo Mandic
Fleet Admiral
Fleet Admiral
‎2017-12-18 08:03

Jump to solution

Hello,

1) Please let me know are you using Microsoft Windows Event Log – Native (WiNC) or Microsoft Windows Event Log – Unified (WUC) SmartConnector ?
2) Enable RAW events on SmartConnector and then observe if you have this information (WorkstationName) in RAW event ?
3) KB that covers enabling RAW event:
https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-/facetsearch/document/KM1270081

Regards,

Marijo

0 Likes
Reply
Report Inappropriate Content
michael_hoang
Captain
Captain
‎2017-12-18 10:18

Jump to solution

Hi Marijo,

Thank you for your response.

 

Please find my answer as below:

1. Using SmartConnector for Windows Native

2-3. Enabled Preserve Raw Event and I can see that information in Raw Event. However, it does not show in ESM Event.

 

Regards,

Anh

0 Likes
Reply
Report Inappropriate Content
Marijo Mandic
Fleet Admiral
Fleet Admiral
‎2017-12-18 11:51

Jump to solution

Hello,

you are welcome.

Please try following procedure and let me know if you can see this information by using this method ?
https://community.softwaregrp.com/t5/Share-Documentation/How-to-Map-Additional-Data-from-Windows-Events-pdf/ta-p/1585389

Regards,

Marijo

View solution in original post

Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.