• No results found

The Universal Collector can collect Windows events. The supported Windows versions for remote collection are Windows 2003 R2 (32-bit/64-bit), Windows 2008 (32/64-bit), Windows 2008 R2 64-bit, Windows 7 (32/64-bit).

Note: The Universal Collector forwards Windows logs to the LMI appliance by using an LMI connection. Windows logs collected from UC are forwarded in a format which is based upon the SNARE format although UC and SNARE formats are not 100% similar and a subtle difference may exist for certain messages.

Collecting Windows Event Logs in Agent Mode (Windows only) Configuring UC in agent mode for local collection of Windows event logs is straightforward:

Create a Windows log source

Optionally fine tune the Windows Audit Policy

When collecting Windows logs, all log source configuration files (XML files) must refer to the same Windows Journals - although the filters can be different. If Windows Journals are different, the log collection will be duplicated.

Collecting Windows Event Logs in Collector mode (Windows, RHEL, SuSE, Solaris)

There are 3 main steps to use the Collector mode:

Step 1 - Collecting Logs

Step 2 - Editing Registry of Remote Windows Log Sources (RHEL, SuSE and Solaris only)

Step 3 - Verifying Connection To Remote Windows Log Sources Step 1 - Collecting Logs

Firewall filtering when a UC is installed on Windows

When a firewall is in the communication path of two Windows hosts, the firewall must be configured to allow communication between the hosts. To do so:

1. Make sure that RPC is allowed by opening the port 135/tcp (EPMAP service) on your firewall.

Figure 2 TCP port required for Windows log collection

2. Open another TCP port. This dynamic port may vary depending on the WEL configuration on the remote host.

3. To fix a specific port for WEL, connect to the polled Windows machine and launch dcomcnfg.exe in a cmd. A graphical window is opened.

4. Expand Components Services > Computers > My Computer > DCOM Config.

5. Right click on Windows Management and Instrumentation > Properties > click on EndPoints tab.

6. Click Add, then choose the Use static endpoint option, specify a port to use and validate.

7. Restart the Windows Management and Instrumentation service and its possible dependencies.

8. On the firewall, open the port specified in step 6.

Example of a uc logs - failed connection to the polled machine:

Date=2011-06-09 16:09:02,771 Level=WARN Message=COM ERROR : Could not connect err code = 0x800706ba RPC server is not available.

LS=10.11.21.152 Type=wmi

When a UC is installed on RHEL, SuSE or Solaris

To allow the collection between the Unix machine and the Windows machine via a firewall:

1. On the Windows machine, enter the following command to restrain the number of dynamic ports available for RPC:

netsh int ipv4 set dynamicport tcp start=10000 num=255 2. Restart the Windows machine for the changes to be applied.

3. On the firewall, allow the TCP range 10000-10255, the TCP 135, and the TCP 445.

Using Non-Admin Accounts For Remote Windows Log Source

This chapter describes how to collect remote Windows Event Logs without using Windows domain administrator accounts.

To configure non-admin domain accounts, you must have access to Windows Event Logs.

Note: If you are using Windows domain administrator account in your log source files, you can skip this chapter.

Access To Windows Event Logs For Non-Administrators Domain Account

LogLogic uses the Microsoft Standard Windows Event Logs and DCOM Interfaces to collect remotely the event logs. Depending on Microsoft server configuration normal, domain users have no access.

1. Make sure that the user cannot change the password at next logon and that the password never expires.

2. Configure the DCOM Connection by running on the Log Source DCOMCNFG.exe.

3. In the Component Services main screen, go to Component Services > Computers.

4. Right click on My Computer and select Properties.

The My Computer Properties screen is displayed.

5. Click on the Com Security tab and click on the button Edit Default in Launch and Activation Permissions.

6. Add your service user and grant all permissions: Local and Remote Launch and Local and Remote Activation.

Figure 3 Launch and Activation Permission

7. Start ServerManager.msc to configure Windows Event Logs Remote Access.

8. Go to Configuration > WMI Control > open the WMI Control Properties.

9. Select the Security tab.

Figure 4 Windows Event Logs Control Properties

10. Select ROOT/CIMV2 and press the Security button to configure the settings. The Service User needs the access rights as in the screenshot below.

Figure 5 Windows Event Logs Control Properties

11. Make sure that This namespace and subnamespaces is selected in the list box.

Note: When configuring a new Windows Log Source, only the newly Windows Event Logs are collected, not all the events included in the current journals.

Access To Windows Event Logs For Non-Administrators Domain Account

Non-Administrators domain accounts are not allowed to access Windows Event Logs.

This procedure describes how to modify channel access to allow a specific user to access a specific Windows event log (for Windows 7, 2008 and 2008 R2).

For windows 2003 server or distribution via group policy, read the following article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323076 .

1. Enter the following command to obtain the user’s SID:

wmic useraccount where name="UserAccountName"

The SID has the following format:

"S-1-5-21-590568947-3456742368-1768217800-1003"

and will be used in step 4.

2. Open the command prompt and run the following command to dump out the SDDL for the system log.

wevtutil gl system

3. Copy out the channelAccess: entry.

channelAccess:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA) ...(A;;0x1;;;IU)

4. Remove "channelAccess:" at the beginning and add "(A;;0x1;;;<SID>)" at the end.

channelAccess:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA) ...(A;;0x1;;;IU)

channelAccess:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA) ...

(A;;0x1;;;IU)(A;;0x1;;;<SID>)

This will add an entry in the ACL in order to:

authorize (i.e. A) read access (i.e. 0x1) for user (< SID>)

5. Apply the ACL with the following commands:

wevtutil sl system /ca:”O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA) ... (A;;0x1;;;IU)(A;;0x1;;;<SID>)”

6. For each Windows Event Log, repeat step 2 to 5.

The ACL is different for each Windows Event Log, so the wevtutil command has to be run each time.

e.g. 1 - Security Windows Event Log:

wevtutil gl security

wevtutil sl security /ca: O:BAG:SYD: (...) (A;;0x1;;;<SID>) e.g. 2 - Application Windows Event Log:

wevtutil gl application

wevtutil sl application /ca: O:BAG:SYD: (...) (A;;0x1;;;<SID>) e.g. 3 - Any Windows Event Log:

wevtutil gl AnyWindowsEventLog

wevtutil sl AnyWindowsEventLog /ca: O:BAG:SYD: (...) (A;;0x1;;;<SID>)

Create a test connection via WMIC – additional Windows Event Logs should be available, e.g.

wmic:root\cli>/node:192.126.56.100 /user:lab\alice /password:admin123! ntevent log list brief

FileSize LogfileName Name NumberOfRecords

69632 Directory Service C:\Windows\System32\Winevt\Logs\Directory Service.evtx 12 69632 Internet Explorer C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx 0

If Event Logs folders are still missing, create the CustomSD REG_SZ within each folder type.

Step 2 - Editing Registry of Remote Windows Log Sources (RHEL, SuSE and Solaris only) You can collect up to 1000 MPS from up to 500 Windows hosts when installed on a RHEL, SuSE or Solaris Operating System. To do so, login to the target remote host as an

Administrator.

Local Security Settings

1. Start the control panel and go to Administrative Tools > Local Security Policy.

This will open up the Local Security Settings screen.

2. Go to Local Policies > Security Options > Network access: Sharing and security model for local accounts and switch to Classic.

This procedure can only be applied on Windows computers that are not part of a domain.

Remote Registry Service

The Remote Registry service must be running to allow the collection from a remote UC under RHEL, SuSE or Solaris.

1. Go to the control panel and open Administrative Tools > Services.

2. Locate the Remote Registry service on the list and start this service.

3. Change the startup type to Automatic.

WBEM Scripting Locator 1. Run the program Regedit.

If you are asked to allow the Regedit program to make changes to the computer, click Yes.

2. Navigate to the Registry item:

HKEY_CLASSES_ROOT\CLSID\{76a64158-cb41-11d1-8b02-00600806d9b6}

3. Right click on this item and select Permissions.

4. Click Advanced and select the Owner tab.

5. In the Change Owner to... box, highlight the account you are currently logged on and click OK.

6. Click OK again and right click the registry item.

7. Select Permissions and highlight the Administrators group.

8. Give Full Control permissions to this group by checking the Allow box and click OK.

Caution:A UC installed on RHEL, SuSE or Solaris cannot collect events from a Windows machine installed on a Read Only Domain controller (RODC).

3215360 Security C:\Windows\System32\Winevt\Logs\Security.evtx 4667

1118208 System C:\Windows\System32\Winevt\Logs\System.evtx 296

Step 3 - Verifying Connection To Remote Windows Log Sources

To test the Windows Event Logs connection and results, you can use a small tool shipped with Windows. This is only available in Collector mode.

1. Open a command line interface and enter the following command:

Wmic

/node:%host% /user:%domain%\%serviceaccount% /password:%password% Nteventlog list brief

Example of Input:

Wmic

/node:192.168.56.100 /user:lab\alice /password:admin123! Nteventlog list brief

Example of Input

FileSize LogfileName Name

69632 Internet Explorer C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx 3215360 Security C:\Windows\System32\Winevt\Logs\Security.evtx

:

If the error message access denied occurs, then something with the Windows Event Logs and DCOM configuration is wrong.

2. Test the connection with a domain admin account. Additionally, a reboot after the configuration steps might be useful.

3. Test the connection via the GUI.

Filtering Windows Logs

It may be required to minimize Windows Audit events generated by certain UC activities via one of the following methods:

1. Removal of “Object Access/ Success” from the audit policy on Windows log sources.

(For further details, reference Audit Policy Management on Windows below.) 2. Review the current Security Access Control List (SACL) settings for the Windows

Event Logs namespace \\root\CIMV2, and verify that Enable Account/Successful is not checked for accounts/group to which the UC is connected. If necessary, create a new policy for the UC for which the Enable Account/Successful is not checked.

Note: if necessary, inheritance of SACL may have to be disabled for that namespace.

Related documents