ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins.Read more for important details.
396 views

SmartConnector for Windows Event Viewer cannot capture Workstation Name

Jump to solution

Dear all,

 

I am using SmartConnector 7.7.0 to capture Windows Event Viewer from Windows Server 2012R2.

For Event ID 4625 (RPD Logon Failed), We cannot see the Source Network/Hostname in SIEM.

From the Event viewer, this information is captured as Workstation Name. Why does not this information send to ESM?

Capture.JPG

 

 

Due to this limitation, we do not know exactly which computer tries logging to monitored server.

Is there anyway that we can see these information in SIEM?

 

Regards,

Anh

0 Likes
1 Solution

Accepted Solutions
Fleet Admiral
Fleet Admiral

Hello,

you are welcome.

Please try following procedure and let me know if you can see this information by using this method ?
https://community.softwaregrp.com/t5/Share-Documentation/How-to-Map-Additional-Data-from-Windows-Events-pdf/ta-p/1585389

Regards,

Marijo

View solution in original post

3 Replies
Fleet Admiral
Fleet Admiral

Hello,

1) Please let me know are you using Microsoft Windows Event Log – Native (WiNC) or Microsoft Windows Event Log – Unified (WUC) SmartConnector ?
2) Enable RAW events on SmartConnector and then observe if you have this information (WorkstationName) in RAW event ?
3) KB that covers enabling RAW event:
https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-/facetsearch/document/KM1270081

Regards,

Marijo

0 Likes

Hi Marijo,

Thank you for your response.

 

Please find my answer as below:

1. Using SmartConnector for Windows Native

2-3. Enabled Preserve Raw Event and I can see that information in Raw Event. However, it does not show in ESM Event.

 

Regards,

Anh

0 Likes
Fleet Admiral
Fleet Admiral

Hello,

you are welcome.

Please try following procedure and let me know if you can see this information by using this method ?
https://community.softwaregrp.com/t5/Share-Documentation/How-to-Map-Additional-Data-from-Windows-Events-pdf/ta-p/1585389

Regards,

Marijo

View solution in original post

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.