Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
marc.bouchard1 Absent Member.
Absent Member.
772 views

WUC for Windows Server 2012


Hi, I saw I'm not the only one who need it and I can't beleive WUC for Windows Server 2012 is not yet supported within ArcSight.  We started a important implementation for one of our customer of 'cloud' services based on Windows Server 2012 and I would like to simply add this new servers within the ArcSight actual scope  (many hundred 2008 servers)...

So, is it a question of 'official' documentation not updated?  What should I do to make sure we will deployed a supported solution...

Regards.

Marc Bouchard

Labels (1)
0 Likes
6 Replies
sreekanthk881 Absent Member.
Absent Member.

Re: WUC for Windows Server 2012

Hi Marc,

  Even I am looking for the Arcsight compatibility on W2K12 servers as we on in the phase of migration. Any documentation from arcsight will be helpful. Please share if you get something.

Regards,

Sreekanth Nair

0 Likes
superman Respected Contributor.
Respected Contributor.

Re: WUC for Windows Server 2012

" on WUC, still "

here are my 1.5 cents.

I have not worked with WUC since the release of 2008R2 , however, implemented other ways to collect windows logs into ArcSight ESM - Snare Agent and lightweight Syslog-ng agent.   We used windows domain policies to configure syslog-ng agents, which ensured unified configuration/encryption/filtering.    There have to be other ways to collect MS Windows Logs.

Here are a few things to consider:

Bandwidth available

Acceptable Resource utilization on target hosts ( MS WIndows 2012 )

Your objectives ( what Event IDs you NEED to get or just All current OS/Audit events ... )

Y.

0 Likes
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: WUC for Windows Server 2012

All,

I have an ArcSight Express implementation  (Manager, Logger, Web, and Connector) all in one with ----  1 Logger dual homed above, three Connector Appliances.

I am monitoring the server environment 30% 2003 / 60 % 2008. and 10 % 2012 and 2012 R2

I use Smart Connector 7.0.2 and 7.0.4 ---- and my WUCs all pull in Security / System / Application logs from all flavors of Windows Server just fine.

Content revision 7011 ---- make sure you load this on the ESM Manager in the correct location  ------ opt\arcsight\manager\updates  -------- and it will push out to all registered connectors.

No issues with any of the 2012 server and no failed parsing 

0 Likes
vianney1 Absent Member.
Absent Member.

Re: WUC for Windows Server 2012

Bonjour Marc,

As per the documentation at

W2k12 server has been a supported event source since March 2013 and R2 supported since June 2014.

If your question is regarding installing  a WUC on a windows server 2k12 machine, then you should be just fine as well. According to it is an officially supported platform to install connectors on.

hth,

V

0 Likes
james.pedersen@ Absent Member.
Absent Member.

Re: WUC for Windows Server 2012

Hi Marc,

We just ran into an issue with 2012 R2 where the connector appears to be using SMBv1 and the 2012 server wouldn't respond.   Packet captures revealed the SMB attempt from the connector and a RST ACK from the 2012 boxes.     To resolve it, we first checked to see if SMBv 1 is enabled

From powershell Get-WindowsFeature -Name FS-SMB1

If it says "Available" then it's not installed or enabled.   To install:

from powershell Add-WindowsFeature -Name FS-SMB1

This will require a reboot to be fully functional.   to validate it's enabled run this from power shell.

Get-SmbServerConfiguration | Select EnableSMB1Protocol

If it shows false run this to enable it:

Set-SmbServerConfiguration -EnableSMB1Protocol $True

this shouldn't require a reboot once the feature is installed.

One of our engineers opened a case to see if we can tweak the connector to use something other than SMBv1, in the mean time, this worked for us.

0 Likes
Highlighted
Trusted Contributor.. ralphw Trusted Contributor..
Trusted Contributor..

Re: WUC for Windows Server 2012

My understanding is that HP internally uses an open source component which can only deal with SMB1 protocol.  SMB2 support is the default for Windows 2012 Server, and SMB1 has some security issues.

So when will Arcsight be in a position to support SMB2 collection in the Windows Unified Connector?  This seems like one of those situations where a small amount of money can be thrown at an open source project, and everybody benefits.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.