t.lilly1 Absent Member.
Absent Member.
636 views

Alternate Windows Event Forwarding Event Map

On page 37 and 38 of the MicrosoftWindowsEventLogUnifiedConfig.pdf there are some options for "Customize Event Source Mapping"

I need to map all Application, System, and Security Forwarded Events in the ForwardedEvents location.

The guide is not very clear how to do this.

Can anyone provide expertise regarding the mapping and possible parser override?

Thanks in advance.

0 Likes
Reply
10 Replies
seniorj@bennett Absent Member.
Absent Member.

Re: Alternate Windows Event Forwarding Event Map

Troy, there are a few steps here that you should follow.

For a few probably legacy reasons, using traditional ForwardedEvents does not actually work.

You will have to configure your collector to send logs to HardwareEvents instead.

The Connector will know wisely to map these into application, security, and system as appropriate for your application.

Ping me if you can't figure it out with this small tip, I can help document a fair bit of what I have going on to get you going.

0 Likes
Reply
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: Alternate Windows Event Forwarding Event Map

Hello JP Senior,

I am also trying to forward events.  I have already installed a WUC on 'Server A' and I am receiving local events from Server A into ESM.  I now want to forward events from Server B, C, D to Server A.  After I set up a subscription on Server A and have the events forwarded to Server A, will they populate into ESM?  Or do i have to install another connector, change a setting, etc?

Thank you,

0 Likes
Reply
seniorj@bennett Absent Member.
Absent Member.

Re: Alternate Windows Event Forwarding Event Map

The SmartConnector will look at logs that are locally in the 'hardwareevents' folder of The Windows Event Log on Server A Only.  You will have to set up WinRM subscriptions for servers B, C, and D to send logs to server A.  Once they are in server A, all logs from servers A-D will be collected by WUC on Server A and forwarded into ESM.

0 Likes
Reply
mikand Absent Member.
Absent Member.

Re: Alternate Windows Event Forwarding Event Map

That sounds odd, how come arcsight cant just fetch the events placed in "ForwardedEvents" log?

0 Likes
Reply
seniorj@bennett Absent Member.
Absent Member.

Re: Alternate Windows Event Forwarding Event Map

Mikeand, Windows uses the 'forwarded connector' folder differently. There is a long thread discussing some of the implications at on Protect724.  It seems that Windows uses a different data storage location for ForwardedEvents that the smartconnector software simply cannot see. If you open up the event sources in your registry editor you will actually see that there is not one for "ForwardedEvents", aka, Windows Event Log service doesn't think these are truly 'local'.  "HardwareEvents" does have this registry entry, so smartconnector is able to utilize it.

0 Likes
Reply
Established Member.. raymond.doty
Established Member..

Re: Alternate Windows Event Forwarding Event Map

The good news is that it is being worked on.  They had a talk about the new windows connector (will be called Windows Native) at protect this year.  It will be able to read the ForwardedEvents log (in addition to custom event logs).

JP is correct though, if you are going to use WUC, it cannot read the 'ForwardedEvents' log file, you must use the HardwareEvents log (the short version is that WUC uses JCIFS and JCIFS uses really old API calls into Windows eventing - old as in Windows 2000 old.  There were drastic event log changes in the Vista/Win2008 timeframe).  I don't have timing on the new connector, am being told it is 'soon'.

0 Likes
Reply
seniorj@bennett Absent Member.
Absent Member.

Re: Alternate Windows Event Forwarding Event Map

I'm really looking forward to not have to use the categorizer map files ! That's great news Ray!

0 Likes
Reply
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: Alternate Windows Event Forwarding Event Map

Thanks JP and thanks to all who commented.  JP you are correct.  Once I modified the connector using the Connector setup wizard, I ran the wizard, changed the Custom Log Names column to HardwareEvents (no space), then went to my WEC server, Event Viewer, Subscription Folder, right click on the server within your subscription, select Properties and ensured the destination log was set to Hardware Events.

Microsoft and Technet also provide great documentation on how to setup Windows Event Forwarding.  Please view their sites as well in order to setup the Windows Event Forwarding via Group Policy or using a domain windows user account.

0 Likes
Reply
ECS1 Contributor.
Contributor.

Re: Alternate Windows Event Forwarding Event Map

We are just setting up WEC for the first time and discovering these nuances.   By any chance does anyone know if there has been any progress on the new connector?    We really do not want to go through the effor of configuring map files when a new connector is coming out. 

0 Likes
Reply
Established Member.. raymond.doty
Established Member..

Re: Alternate Windows Event Forwarding Event Map

Your best bet is to either open a support case or go through your sales rep.  Customers generally are under NDA not to talk about upcoming features.  Sorry for the bland answer

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.