Windows firewall blocking event collection
We have some new windows 10 machines that have firewalls enabled.
I am having trouble seeing events from these workstations in ESM. I can see domain events but thatsnot good enough.
Does anyone know what ports need to be open on these windows 10 machines so that a connector installed on a server can pull these events?
Is it 49153??
Thanks in advance for any help you can provide
you can find related information on ArcSight Port and Protocol Information
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Thanks for your reply.
I had already seen that document i'm afraid.
After looking in the winc agent logs it appears the RPC connection is being blocked by our firewalls.
Hopefully this helps someone else out
Windows Unified and WINC use port 445 to connect to their destinations. WinRM uses a different protocol and port, if I am not wrong 5985 for plain text and 5986 for ssl.
I will second steve-m's suggestion because workstation logs are fairly complex: you don't known when they are online or offline and trying to constantly pull logs from them is extremely inefficient. Forward them to a central windows server and collect logs from there if you can.
I'd recommend looking at Windows Event Forwarding (WEF) to get the logs from your workstations to a central Windows server and then collecting the logs from there using the SmartConnector. There are many benefits to doing this and it's easy to setup. I documented this exact use case here: Collecting Windows Event Logs Using Windows Event Forwarding
Our environment has a very specific reason for it being setup the way it is but I do understand that generaly a WEF format is the way to go.
For reference if anyone else has firewalls enabled on 2016/10 I would suggest enabling the Distributed Transaction Coordinator rules in the firewall and allow connections only from the connectors, it solved the problem for us and you don't have to enable huge port ranges.