Versions Compared

Old Version 7

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

compared with

New Version 8

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For these, we can use both the Event collection methods - Method 1 or Method 2 below. Example - OS events, Audit events(Enable Audit Logs/wiki/spaces/PP/pages/445612089) and Driver Framework events like USB events, CD Drive events etc.(Enable Driver Framework events from windows/wiki/spaces/RB/pages/4227200).

Type 2: Windows based Application events -

...

  • Base OS: Please use the instructions as in the link below to configure nxlog:

Nxlog Configuration for Windows AD Logs 

  • Application events from MSSQL: Please use the instructions as in the link below:

Configuring logs from Windows MSSQL serverNxlog configuration

  • Application events from DNS: Please use the instructions as in the link below:

Configuring DHCP logs from DHCP server using NxlogsWindows DHCP Nxlog configuration

  • Application events from DHCP: Please use the instructions as in the link below:

Configure Logs from Windows DNS serverNxlog configuration

  • Application events from IIS: Please use the instructions as in the link below:

Configuring logs from Windows IIS serverNxlog configuration

  • Application events from MS Exchange - Please use the instructions as in the link below:

Windows MS Exchange Nxlog configuration for MS Exchange server

  • Application events from SMTP- Please use the instructions as in the link below:

Configuring Windows SMTP server using Nxlog configuration

Note: In certain scenario if partner/customer can mount application events location to collector or any other centralized location then we can use both Event collection option.

...

Once the Windows Collector is up and running, subscriptions can be added to it for all the remote Windows machines in the same domain that we have to get the logs forwarded from. For subscriptions, please refer to the instructions as in the link:

Event collection at windows collector computerCollection at Windows Collector Server

Step 3- Forward events from Source computers to the Windows Collector:

To enable the events to be forwarded from the remote computers to the Windows Collector, the steps that needs to be performed are as in the link:

Event forwarding from From Source Windows ComputersServer

Step 4- Forward events from Windows Collector to CCE using Nxlog Configuration:

Once the events are forwarded from the remote Windows machines to the Windows Collector. We need to configure Nxlog on the collector computer to in turn forward the collected events to our CCE. To configure the same, please refer to:

Nxlog Configuration for Windows AD Logs 



For threat indicators generated:

Threat Indicators Generated from Windows Events