Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
Oliver843 Honored Contributor.
Honored Contributor.
325 views

Windows firewall blocking event collection

Hello,

We have some new windows 10 machines that have firewalls enabled.

I am having trouble seeing events from these workstations in ESM. I can see domain events but thatsnot good enough.

Does anyone know what ports need to be open on these windows 10 machines so that a connector installed on a server can pull these events?

Is it 49153??

 

Thanks in advance for any help you can provide

Oliver

0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: Windows firewall blocking event collection

you can find related information on ArcSight Port and Protocol Information 

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Oliver843 Honored Contributor.
Honored Contributor.

Re: Windows firewall blocking event collection

Hello @mr_ergene 

Thanks for your reply.

I had already seen that document i'm afraid.

After looking in the winc agent logs it appears the RPC connection is being blocked by our firewalls.

Hopefully this helps someone else out

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Windows firewall blocking event collection

Oliver,

Windows Unified and WINC use port 445 to connect to their destinations. WinRM uses a different protocol and port, if I am not wrong 5985 for plain text and 5986 for ssl.

I will second steve-m's suggestion because workstation logs are fairly complex: you don't known when they are online or offline and trying to constantly pull logs from them is extremely inefficient. Forward them to a central windows server and collect logs from there if you can.
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Windows firewall blocking event collection

I'd recommend looking at Windows Event Forwarding (WEF) to get the logs from your workstations to a central Windows server and then collecting the logs from there using the SmartConnector. There are many benefits to doing this and it's easy to setup. I documented this exact use case here: Collecting Windows Event Logs Using Windows Event Forwarding

Oliver843 Honored Contributor.
Honored Contributor.

Re: Windows firewall blocking event collection

Hi @steve-m and @Carlos Augusto 

Our environment has a very specific reason for it being setup the way it is but I do understand that generaly a WEF format is the way to go.

For reference if anyone else has firewalls enabled on 2016/10 I would suggest enabling the Distributed Transaction Coordinator rules in the firewall and allow connections only from the connectors, it solved the problem for us and you don't have to enable huge port ranges.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.