Highlighted
Acclaimed Contributor.
Acclaimed Contributor.
14130 views

WinC (Windows Native Connector) overview

You can find more information on WiNC which is updated here: The WiNC guide: Q&A, Resources, Best Practices, Tips

  • Definitions
  • Overview
  • Why WINC
  • Tangibilitized
  • Summary
  • FAQ
  • Additional information
Labels (1)
29 Replies
Highlighted
Absent Member.
Absent Member.

Thanks a lot for your help Guys. Much Appreciated.

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Thanks Ofer,

Is there a way to specify events to exclude using the WiNC event filter?  i.e. send every security event except [list of event id's]...? 

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Randy,

Look at the Protect 2015 presentation from Rin Ure from Microsoft on this subject here:

https://protect724.hp.com/docs/DOC-13134#comment-13425

The topic was:

B5390 - Learn from Microsoft how to forward Windows events into HP ArcSight at an enterprise scale

I haven't started investigating WiNC (or WEF) yet but when I do, I will start by rereading the lessons learned in Rin presentation.

Cheers,

Carl

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Excellent - thanks Carl....

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

I took a quick look at the doc - it talks a lot about the prep work on the WEC side to get things staged for ArcSight collection via WUC.   It a good read.

For now we have a simple test case with a single WiNC connector, collecting events from 1 remote host, as well as the local host where the connector is installed.  We're looking at an option in the WiNC connector setup (multiple host parameters) that lets us define events to filter at the source.  This is the Filter parameter,

the smartConnector document includes these bits:

Event Filter

Filters that apply at the time of event collection from the event source to the connector are supported. With this support, events in which you have no interest can be filtered out, making better use of resources.

Filter

This is a filter you can get from the Microsoft event viewer when you want to collect particular events. You can copy the filter text to this field. For more information, see “Configure a Filter.”

I might be missing something really obvious.  There are a few heavy hitters in the windows event stream that would be default values for all hosts in this field.  But based on these descriptions ("filtered" out vs "want to collect particular events"), I'm not clear if the values added to this field are included or excluded from the event collection.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

I did some testing of this today. This is an include filter: what events do I want the Connector to process and send along to Express/ESM/Logger. Everything else is excluded or dropped.

Here are some scenarios I tested. There are two that don't work, but don't make sense to use. There are some that work that don't make sense to use as well. I'll try to track down an answer on the range of event IDs (900-1000); this would be nice to have.

Works

*[System[(EventID=800 or EventID=900 or EventID=1000)]]

-events with ids of 800, 900, or 1000

*[System[Provider[@Name='EventCreate']]]

-events from eventcreate

*[System[Provider[@Name='EventCreate'] and (Level=2)]]

-error events from eventcreate

*[System[(Level=2 or Level=4 or Level=0)]]

-error or informational events

*[System[(Computer='win7.example.com')]]

-events from a particular computer

*[System[(Computer='win7.example.com' or Computer='windows.example.com')]]

-events from particular computers

-comma separated: win7.example.com, windows.example.com

*[System[Security[@UserID='S-1-5-21-440319974-3384363281-3865861254-500']]]

-events from a particular user

-microsoft does not allow multiple users, this has to be a particular user

Does not Work

*[System[( (EventID >= 900 and EventID <= 1000) )]]

-events with id's of 900 - 1000, event viewer, written as "900-1000"

-this would be a nice one to be able to do

*[System[TimeCreated[timediff(@SystemTime) <= 3600000]]]

-events last hour

-this doesn't make sense to use

*[System[band(Keywords,36028797018963968)]]

-events with specific keywords

-this doesn't make sense to use

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi,

Has anyone tried to check if it is possible to apply "OUT" filters? for example: collect all events except events 4625.

Thanks,

Guido

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Another quick note, when you are in the Event View finding the syntax for the filter (the XML tab below), note that you can't filter by log at this level (i.e. Security vs. Application vs. System). And in the hosts table in the Connector, the filter will apply to all of the logs that are checked off per host. So there will need to be some consideration for how the filter is configured and how the hosts table is setup.

This might not make sense until you see it. And on Fridays nothing seems to make sense to me. 😉

Untitled.png

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Steve, many thanks, have a great weekend.

0 Likes
Highlighted
New Member.

Would you be able to briefly cover how to setup remote host collection with the WiNC agent that's similar to the older WUC without using subscriptions / windows event forwarding? Also if you know what protocols this agent would use to do that in comparison to the old WUC that would be very helpful.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

The setup is the same when you're not using Subscriptions/Windows Event Forwarding, you just wouldn't select that option in the hosts table. See my presentation from Protect 2015 which covers some of the different configurations with and without Windows Event Forwarding. Also see the port/protocols information below.

B3558 – Using Windows Event Forwarding with Windows Native and Unified SmartConnectors


ArcSight Port and Protocol Information

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.