Overview

This documents will help you how to configure Windows events.

To export events from Windows machines/servers, we use a third-party software called "Nxlog".

A. Types of Windows events

Windows servers generate two types of events:

Type 1: Windows Native Events

Type 2: Windows-based Application Events

Type 1: Windows Native Events -

For these, we can use both the Event collection methods - Method 1 or Method 2 below. Example - OS events, Audit events(/wiki/spaces/PP/pages/445612089) and Driver Framework events like USB events, CD Drive events etc.(/wiki/spaces/RB/pages/4227200).

Type 2: Windows-based Application events -

For Application events, we have to use Method 1 of event collection, which is to run nxlog agent on the server to read the events from a specific location and export them to CCEs. Example: MSSQL, DNS , DHCP, IIS, MsExchange, and SMTP.

B.Methods of Event Collection from Windows -

There are two methods of event collection from Windows servers, depending on the type of events the server generates:

Nxlog Agent configured on the same server
Nxlog Agent configured on a collector setup

Both methods are described below:

Method 1: Nxlog Agent configured on the same server:

In this case, the Nxlog configuration is done on the same server from which the events are forwarded. In the case of nxlog configuration from:

Base OS: Please use the instructions as in the link below to configure nxlog:

Nxlog Configuration for Windows AD Logs

Application events from MSSQL: Please use the instructions as in the link below:

Windows MSSQL Nxlog configuration

Application events from DNS: Please use the instructions as in the link below:

Windows DHCP Nxlog configuration

Application events from DHCP: Please use the instructions as in the link below:

Windows DNS Nxlog configuration

Application events from IIS: Please use the instructions as in the link below:

Windows IIS Nxlog configuration

Application events from MS Exchange - Please use the instructions as in the link below:

Windows MS Exchange Nxlog configuration

Application events from SMTP- Please use the instructions as in the link below:

Windows SMTP Nxlog configuration

Note: In certain scenario if partner/customer can mount application events location to collector or any other centralized location then we can use both Event collection option.

Method 2: Windows Event Subscriptions with Nxlog configured on Windows Collector

This method requires three steps as below:

Step 1- Setup the Windows Collector:

Windows Collector will be one small Windows VM, with configurations as below:

Compute Power: Windows 2012 Server- 2 Ghz or faster.
Minimum Memory DRAM: 2 GB
Minimum Disk: 40 GB
Network Interface: 1 GigE

Step 2- Create subscriptions on Windows Collector:

Once the Windows Collector is up and running, subscriptions can be added to it for all the remote Windows machines in the same domain that we have to get the logs forwarded from. For subscriptions, please refer to the instructions as in the link:

Event Collection at Windows Collector Server

Step 3- Forward events from Source computers to the Windows Collector:

To enable the events to be forwarded from the remote computers to the Windows Collector, the steps that needs to be performed are as in the link:

From Source Windows Server

Step 4- Forward events from Windows Collector to CCE using Nxlog Configuration:

Once the events are forwarded from the remote Windows machines to the Windows Collector. We need to configure Nxlog on the collector computer to in turn forward the collected events to our CCE. To configure the same, please refer to:

Nxlog Configuration for Windows AD Logs

For threat indicators generated:

Threat Indicators Generated from Windows Events

Seceon Public Portal

Configuring Windows Events