Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Overview-

We are providing you with the steps to integrate your event collection at windows collector computer with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log and Netflows forwarding.

Steps of configuration-

On the collector computer, type the following command on command prompt:

1.  wecutil qc

Now create a New Subscription

2  On the collector computer in search box, run Event Viewer as an administrator.

3  Click Subscriptions in the console which is situated in the left side

4  Start Windows Collector Service

If the Windows Event Collector service is not started, you will be prompted to confirm that you want to start it. This service must be started to create subscriptions and collect events. You must be a member of the Administrators group to start this service.

5  On the actions menu, in right side click on the create subscription.

6  In the Subscription Name box, type a name for the subscription

7  In the Description box, enter an optional description.

8  In the Destination Log, select the log file with help of dropdown where collected events are to be stored. Please make sure that the collected events are stored in the "System" log.

now click on select computers from which events are to be collected

Now put the computer name one by one


10  After adding a computer, you can test connectivity between it and the local computer by selecting the computer and clicking Test.

11  Click on "Advanced ">> Select "Specific User">>Enter the credentials of the admin user of the Collector system.


12 Click Select Events to display the Query Filter dialog box. Use the controls in the Query Filter dialog box to specify the criteria that events must meet to be collected.

In the "Event Level part", click on all critical, warning, verbose, error and information for all events.


Also, select the "By log" option, and then choose "Windows Log" in the dropdown.

for the Application and Services -

1. Click on + next to Application & Services:

2. Click on + next to Microsoft

3. Click on + Next to Windows

4. Check the box next to "DriverFrameworks-UserMode"


Click OK.

13

  Click OK on the Subscription Properties dialog box. The subscription will be added to the Subscriptions pane.


To check the status,

Right click on the Subscription name, select "runtime status". if the operation was successful, the Status of the subscription will be Active.

The following link provides additional information: https://msdn.microsoft.com/en-us/library/cc722010.aspx

Now, the collector setup is done, please

1.Forward logs from the other sources on this collector. Follow the steps in the article using the link below on source computers:

from Source Windows Computers

2. Now, configure Nxlog on the collector, using the steps in the article using the link below:

Nxlog Configuration for Windows AD Logs

Note: If the AD machine is configured as the collector then you need to enable audit logs only on the AD machine. If the case is otherwise(any endpoint is configured as the collector), then you need to enable audit logs on each of the computers added in the subscriptions separately.

3. Steps to enable audit logs are given in the article from the link below:

Windows- Enable Audit Logs/Policies




  • No labels