Regular Contributor.. masta_blasta1 Regular Contributor..
Regular Contributor..
494 views

Can't get any events from Windows 2008 R2 (not domain)

Hi!

I have 2 arcsight servers software installation: connapp and logger. On the connapp server I have installed  "Microsoft Windows Event Log – Unified" connector to collect events from few remote win2008 r2 servers (they are not incleded in domain ).  In the connector configuration I used the local windows "Administrator" user to connect to the security logs. Local "Administrator" have privileges to read from "security" event log. When i execute "get status" of "Microsoft Windows Event Log – Unified" connector i can see that the connector can read security evets count from remout win2008r2 PC's, but connector don't send any events to logger! At the logger search i can see only events type: "

Can anybody to clarify: what the problem here?

Is it some trick when collecting events from not domain windows systems?

Labels (3)
0 Likes
Reply
6 Replies
chenselein1 Absent Member.
Absent Member.

Re: Can't get any events from Windows 2008 R2 (not domain)

When you execute the Command "Get Device Status" - what does your output look like?

Can you also get the last few hundres lines of the agent.log (also via Command) to see if the Connector maybe has problems with the privileges.

BR,

Christoph

0 Likes
Reply
Established Member.. thoman
Established Member..

Re: Can't get any events from Windows 2008 R2 (not domain)

Please use remote win2008 r2 servers' hostname as domain name.

0 Likes
Reply
Regular Contributor.. masta_blasta1 Regular Contributor..
Regular Contributor..

Re: Re: Can't get any events from Windows 2008 R2 (not domain)

DSC_1090.JPGHi, Christoph!

When i execute "Get Device Status" i get "true'' status behind win2008 sourses.

And i attached the part of agent.log. !

0 Likes
Reply
Regular Contributor.. masta_blasta1 Regular Contributor..
Regular Contributor..

Re: Re: Can't get any events from Windows 2008 R2 (not domain)

hi, Thoman!

This interesting - i just can't to try it yet!

Can i ask you: does it really work? are you faced the similar?

0 Likes
Reply
Highlighted
aaron.wayne@hpe1 Absent Member.
Absent Member.

Re: Can't get any events from Windows 2008 R2 (not domain)

Someone correct me if I am wrong here but anytime I have used the Windows Unified Connector the parameters for domain need to be filled out.  Now whether this is on the parameters that are global or you have to do the entry manually per machine on the following screen.  I am almost certain you have to have something entered for domain.

The events that you are getting are ArcSight events for the connector not Windows events.  I know I am stating the obvious there but just had to get that out there.  You will get these ArcSight system events for any connector that is installed and running if you are stopping and/or starting the connector.

I believe you need to have the machines with a domain entry in order for retrieval to work.  I am not 100% so someone please clarify but this is the only way I have ever seen the connector working.

The connector will behave much like any other connector there is a parser that is hidden on smart connectors and you can't see how or what the connector is parsing but the parser is there.  If I were a betting man there is a regex statement that looks for the domain entry and if it is not there then this is why you are not seeing cef events.

TIP: Do a search in your environment for name Is NULL.  If you see a bunch of unparsed Windows events then you know that is likely the problem.

Hope this helps!!

0 Likes
Reply
Established Member.. thoman
Established Member..

Re: Re: Can't get any events from Windows 2008 R2 (not domain)

Yes, it work for me, you should use administrator user account or create new account via following steps:

On the Windows Server 2008 Workgroup:

1 Go to Settings -> Control Panel -> Administrative Tools -> Computer Management -> System Tools -> Local Users and Groups -> Users.

2 Create a new Local User, such as arcsight.

3 Go to Settings -> Control Panel -> Administrative Tools -> Computer Management -> System Tools -> Local Users and Groups -> Groups.

4 Open the Event Log Readers group and add this new Local User arcsight to this group.

5 Open the Power Users group and add this new Local User arcsight to this group.

6 Go to Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> Security Settings -> Local Policies -> Security Options.

7 Open the Network access: Sharing and security model for local accounts policy.

8 Set this policy to the option: Classic – local users authenticate as themselves.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.