Table of Contents |
---|
Overview
...
We are providing you with the steps to integrate your Event collection at windows collector computer with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log and Netflows forwarding.
:
The Windows Event Collector service is responsible for managing continuous event subscriptions sourced from remote locations that support the Web Services-Management protocol. This includes event sources using the Intelligent Platform Management Interface (IPMI), hardware, and event logs. The Windows event log collector stores events that have been forwarded in a localized event log. If disabled or stopped, the service can no longer create event subscriptions, and forwarded events can’t be accepted.
Event collection enables administrators to retrieve events from a remote device and store the events in a fully centralized location. Events are stored on the collector computer’s local event logs. The event’s destination log path is a key subscription property. Event data is saved to the collector device’s event log, and any additional information related to event forwarding is added directly to the relevant event.
The Windows event log collector service requires manual startup, but it comes preinstalled. In the Windows Event Collector default configuration, it uses the Network Service account to log in. The Windows Event Collector service is reliant upon two system components a Windows event log and HTTP.
Common mistakes:
Please make sure the below points are taken care of:
Please make sure that you have selected all types of windows logs including Informational logs also.
Collector should be added in domain controller.
Admin credential is provided.
Steps of configuration:
On the collector computer, type the following at an elevated command on the command prompt:
1. PS C:\Users\Administrator>wecutil >> wecutil qc
...
Create Now create a New Subscription
2 On >> On the collector computer in search box, run Event Viewer as an administrator.
...
3 >> Click Subscriptions in the console tree.4 which is situated in the left side
...
>> Start Windows Collector Service
If the Windows Event Collector service is not started, you will be prompted to confirm that you want to start it. This service must be started to create subscriptions and collect events. You must be a member of the Administrators group to start this service.
5 >> On the Actions actions menu, click Create Subscription.6 in right side click on the create subscription.
...
>> In the Subscription Name box, type a name for the subscription
7 >> In the Description box, enter an optional description.8
...
>> In the Destination Log box, select the log file with help of dropdown where collected events are to be stored. Please make sure that the collected events are stored in the "System" log.
...
>> now click on select computers from which events are to be collected.
10 >> After adding a computer, you can test connectivity between it and the local computer by selecting the computer and clicking Test.
11 Click on "Advanced ">> Select "Specific User">>Enter the credentials of the admin user of the Collector system.
12 Click Select Events to display the Query Filter dialog box. Use the controls in the Query Filter dialog box to specify the criteria that events must meet to be collected.
In the "Event Level part", click on all critical, warning, verbose, error and information for all events.
...
>> Now click on the add domain computer
...
>> In object name put your computer name one by one
...
>> Now click on select events
...
>> and click on all the events Critical, Warning, Verbose, Error, Information
...
>>Drop Down Event level
...
>>Select Windows logs and click on check box as shown below.
...
>> After that drop down the events logs and in envent logs follow this path microsoft-windows-DriverFrameworks and click on the ok
choose "Windows Log" in the dropdown.
for the Application and Services -
1. Click on + next to Application & Services:
...
4. Check the box next to "DriverFrameworks-UserMode"
...
>>Then click on the advance tab
...
>> Select "Specific User" and then click on user name and password
...
>> And put the username and password with the admin privilege
...
Click OK.13
Click >> Click OK on the Subscription Properties dialog box. The subscription will be added to the Subscriptions pane.
To check the status,
Right click on the Subscription name, select "runtime status". if the operation was successful, the Status of the subscription will be Active.
The following link provides additional information: https://msdn.microsoft.com/en-us/library/cc722010.aspx
Now, the collector setup is done, please
1.Forward logs from the other sources on this collector. Follow the steps in the article using the link below on source computers:
from From Source Windows ComputersServer
2. Now, configure Nxlog on the collector, using the steps in the article using the link below:
...
3. Steps to enable audit logs are given in the article from the link below:
Windows- Enable Audit Logs/Policies/wiki/spaces/PP/pages/445612089
Ref link: https://andys-tech.blog/2021/07/windows-event-collector-tutorial/