Beruflich Dokumente
Kultur Dokumente
Last Modified: Sunday, April 29, 2012 Event Source (Device) Product Information Vendor Event Source (Device) Supported Versions
Microsoft Windows
l
NT, 2000, XP, 2003, Vista Business, Ultimate, and Enterprise - using SNARE or the legacy agentless collector Server 2008 - Agentless, using SNARE, or using File Reader Service Windows Server 2008 Enterprise with Hyper-V, Server 2008 R2 Standard, Enterprise, and Datacenter - Agentless or using SNARE Web Server 2008 R2 - Agentless or using SNARE 7 Professional, Ultimate, and Enterprise Agentless
Note: To support Exchange Auditing logs in Microsoft Exchange 2007 SP2 or later, you need to install the EBF: ENV-36943. For details, contact RSA enVision Customer Support.
RSA Product Information Supported Version Event Source (Device) Type
RSA enVision 4.0 and 4.1 Agentless = winevent_nic, 30 Using third-party collection agent - Adiscon Event Reporter = winevent_er, 15 Using third-party collection agent - InterSect-Alliance BackLog = winevent, 14 Using third-party collection agent - InterSect Alliance SNARE = winevent_snare, 20 agentless = Windows Event Logs using third-party agent = syslog Host.Windows Windows
This document contains the following information for the Microsoft Windows event source:
l l l
Configuration Instructions Release Notes for Content 2.0 Release Notes for Standard Content
RSAEvent Source
Microsoft Windows
1. Click Start > Settings > Control Panel > Administrative Tools > Event Viewer. 2. Right-click System, and select Properties. 3. Select Overwrite events as needed. 4. Click Apply, and click OK. 5. Repeat steps 2 to 4 for Application and Security logs.
1. Log on to Windows with an account that has administrative credentials. 2. Click Start > Settings > Control Panel > Administrative Tools. 3. Double-click Local Security Policy to start the Local Security Settings MMC snap-in. 4. Double-click Local Policies to expand the folder, and double-click Audit Policy. 5. In the right pane, double-click the policy that you want to enable or disable. 6. Select Success (audited security access attempt that succeeds), Fail (audited security access attempt that fails), or both for logging on and logging off.
RSAEvent Source
1. Open Windows Explorer, and locate the file or folder that you want to audit. 2. Right-click the file or folder, and select Properties. 3. On the Security tab, click Advanced, and click the Auditing tab. 4. Do one of the following:
l
To set up auditing for a new group or user, click Add. In the Name field, enter the name of the user that you want to audit, and click OK. To view or change auditing for an existing group or user, click the group or user, and click View/Edit. To remove auditing for an existing group or user, click the group or user, and click Remove. Go to step 6.
5. If you are adding or editing a group or user, do the following: a. In the Access list box, for each type of access that you want to audit, select Successful, Failed, or both. b. To prevent files and subfolders in the tree from inheriting these audit entries, select Apply these auditing entries. c. Click OK. 6. Click OK. Note: If the checkboxes in the Access list box in the Auditing Entry dialog box are unavailable, or if the Remove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from the parent folder.
Setting Up Collection
You can set up either of two methods of collection for Windows logs:
l l
Note: If you cannot collect messages from a Windows Server 2003 or 2008 event source, set up the Remote Registry Service account to run as the LocalSystem, not LocalService. Important: You must have administrator privileges to read the event logs and retrieve the Application and System messages. You can get security messages without administrator privileges if you set Manage auditing and security log policy for the user.
Setting Up Collection
RSAEvent Source
The Windows Eventing Collector (requires separate installation of a new enVision collector) The Legacy Agentless Collector (does not require any additional downloads or configuration)
Prerequisites
You must be running RSAenVision 4.0 Service Pack 3 or newer. Additionally, ensure that you updated the enVision platform by installing the following (available for download from SecurCare Online):
l l l
1. On the enVision platform, click Overview> System Configuration. 2. Click Services >Device Services > Windows Service > Manage Windows Service. 3. Select the Windows Agentless Collector Service for each event source for which you are using the Windows Eventing Collector Service. 4. Click Delete.
1. Add or update the alias for the event source as follows: a. Open a new command shell, and change directories to the E:\nic\enVision version\node_ name\collection-services\winevent directory. b. Run one of the following commands:
l
c. Follow the prompts to provide your information. For details, see the enVision Online Help. d. Enter the list of channels to which you want to subscribe. Use a comma as the delimiter between channel names. Note: You must enter the names as written in the list below. If you misspell any channel name, events from that channel are not collected. 2. To test your configuration, type:
wineventconfig.exe -t.
Channel Microsoft-Windows-Hyper-V-Config-Admin Channel Microsoft-Windows-Hyper-V-Config-Operational Channel Microsoft-Windows-Hyper-V-Hypervisor-Admin Channel Microsoft-Windows-Hyper-V-Hypervisor-Operational Channel Microsoft-Windows-Hyper-V-VMMS-Admin Channel Microsoft-Windows-Hyper-V-Worker-Admin Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Admin Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Operational Channel Microsoft-Windows-Hyper-V-SynthStor-Admin Channel Microsoft-Windows-Hyper-V-Integration-Admin Channel Microsoft-Windows-Hyper-V-SynthNic-Admin
Legacy Collector
The NIC Windows Service retrieves Windows logs from remote systems without installing any thirdparty software. This method is known as agentless Windows collection.
RSAEvent Source
If you use agentless collection, the Remote Registry Service must be running on the remote server. This service allows a remote station to access the event logs. If you use a third-party collection application or an agent, you do not need to configure the NIC Windows Service.
InterSect Alliance SNARE BackLog InterSect Alliance SNARE Adiscon EventReporter andDNSServer
Note: If you install the SNARE agent on a Windows Vista or Server 2008 system, you must use SNARE for Windows Vista version 1.1.1.
1. Set the Target Host to the hostname of the RSA enVision appliance collecting the events. 2. Set the Syslog Category to Syslog - Debug. 3. Set the Delimiter to Comma. Note: If you set these incorrectly, you can run configurator.exe, located in the installation directory (the default installation directory is C:\Program Files\Backlog).
1. Set the Destination Snare Server Address to the IP address of the RSA enVision appliance collecting the events. 2. Set the Destination Port to 514. 3. If you use SNAREfor Windows 4.0.0.2 and later, ensure that the following options are selected: Note: If you use an earlier version of SNARE for Windows, skip this step.
l l
Allow SNAREto automatically set audit configuration. Allow SNARE to automatically set file audit configuration.
4. Set the Syslog facility to Syslog. 5. Set the Syslog Priority to Debug. Setting Up Third-Party Collection Services 9
RSAEvent Source
6. Ensure that Enable Syslog Header is selected. 7. Copy the SNAREdelimiter.reg file from the \etc\devices\winevent_snare directory on the enVision appliance to the machine on which you installed SNARE. 8. To update the SNARE registry with the proper delimiter setting, right-click the SNAREdelimiter.reg file, and select Merge. When prompted to continue, click Yes. 9. On the Windows Start menu, click Settings > Control Panel > Administrative Tools > Services. 10. Restart the SNARE service.
To install and set up InterSect Alliance SNARE on Windows Server 2008 Server Core:
1. Click My Computer > Tools > Map Network Drive, and follow these steps to map a drive: a. From the Drive drop-down list, select the drive which you want to map. b. In the Folder field, enter the IP address of the drive to be mapped. For example, if the IP address of the core server machine is 1.1.1.1 and the drive to be mapped is C:, enter \\1.1.1.1\c$ in the Folder field. c. Select Reconnect at logon. d. Select Connect using a different user name option, and enter the logon credentials for the Server Core machine. 2. Create a new directory on Server Core, such as C:\files. 3. Copy the SNARE installation file (downloaded from http://www.intersectalliance.com/projects/SnareWindows/index.html#Download to the local machine) and the .reg file (from the \etc\devices\winevent_snare directory on the enVision appliance) to the directory that you created in step 2. 4. Follow these steps to install SNARE on the Server Core installation: a. Open a command shell, and change directories to the directory that you created in step 2. b. To install SNARE, type:
C:\files\SnareSetupVista-1.1.1-MultiArch.exe
Note: When installing the SNARE agent on a Server 2008 Server Core installation, you must set the Remote Control Interface setting to YES with password. If this option is not selected, the SNARE agent can only be configured through the registry. c. To update the SNARE registry with the proper delimiter setting, type:
C:\files\SNAREdelimiter.reg
When prompted to continue, click Yes. 5. To configure the settings through the Internet, connect to the interface through a web browser. For example if the IP address of the Server Core host is 1.1.1.1, go to http://1.1.1.1:6161/
10
Note: If a firewall prevents the connection, to make a rule that allows connection to the web interface, you can run the command:
C:\ netsh advfirewall set all profiles firewallpolicy allowinbound,allowoutbound
6. To configure the settings, follow steps 1 to 6 of the preceding SNARE setup procedure. 7. Follow these steps to restart the service: a. To stop the service, at the command prompt, type:
C:/sc stop snare
11
RSAEvent Source
You must complete the following tasks to set up Adiscon EventReporter and DNS Server: I. Set up EventReporter II. (Optional) Set up Hyper-V III. Set up DNSserver logging
1. From the Windows Start menu, click Programs > EventReporter > EventReporterConfiguration. 2. In the left-hand panel, double-click Configured Services, and follow these steps: a. Click Default EventLog Monitor > Advanced Options. b. Select Use Legacy Format. c. Select only Add Facilitystring, Add Username, and Add Logtype. d. Click Save. 3. Follow these steps to configure syslog forwarding: a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog > Actions. b. Select Forward Syslog. c. In the Syslog Server field, enter the IP address of the RSA enVision appliance collecting the events. d. Clear Add Syslog Source when forwarding to other Syslog servers. e. Leave all other options at the default settings. 4. Restart the EventReporter service.
Set Up Hyper-V
This procedure is optional. Follow these steps only if you are configuring Hyper-V.
To configure Hyper-V:
Note: EventReporter 11.1 is required to configure Hyper-V support. 1. From the Windows Start menu, click Programs > EventReporter > EventReporterConfiguration. 2. To create a rule set, follow these steps: a. In the left-hand panel, right-click Rule Sets, and select Add Rule Set. b. Name the rule set, and click Next. c. Select Forward Syslog, and accept all other defaults to add the rule set.
12
d. Select your rule set from RuleSets, and click Forward Syslog >Actions > Forward Syslog. e. Accept all defaults, and complete the fields as follows:
l l
Syslog Server: The IPaddress of your RSA enVision appliance Message format: [%level%] %timegenerated%:
%user%/%source%/%sourceproc% (%id%) - "%msg%"
Note: If you cut and paste the message format string, ensure that the string does not contain any line or paragraph breaks.
3. To configure a service to use the rule set, follow these steps: a. Right-click Configured Services, and click Add Service >Event Log Monitor V2. b. Accept all defaults, and click Next. c. Click Finish. d. Click the new service. e. By default, all items are selected. Clear all items except those that start with the string Microsoft-Windows-Hyper-V. Note: The Hyper-V items are under New EventLog - Serviced Channels >Microsoft >Windows.
13
RSAEvent Source
f. In the Rule Set to Use field, select your rule set. g. Click Save. 4. Restart the EventReporter service.
1. From the Windows Start menu, click All Programs > EventReporter > EventReporter Configuration. 2. In the left-hand panel, double-click Configured Services, and follow these steps: a. Click Default EventLog Monitor > Advanced Options. b. Select Use Legacy Format. c. Select only Add Facilitystring, Add Username, and Add Logtype. d. Click OK. 3. Following these steps to configure syslog forwarding: a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog > Actions. b. Select Forward Syslog. c. In the Syslog Server field, enter the IP address of the RSA enVision appliance collecting the events. d. Clear Add Syslog Source when forwarding to other Syslog servers. e. Leave all other options at the default settings. 4. Restart the EventReporter service.
14
1. Log on to the RSA enVision platform with administrative credentials. 2. Select Overview > System Configuration > Services > Device Services > Manage File Reader Service. 3. Click Add. 4. Complete the fields as follows.
Field IPaddress File reader type Action Enter the IP address of the Microsoft Windows DNS server. Select WINDNS.
5. Ensure that Start File Reader Service on Apply is selected. 6. Click Apply. 7. To restart the NIC Service Manager, follow these steps: a. On your enVision appliance, click Start > Administrative Tools > Services. b. From the list, click NIC Service Manager. c. Click Restart the service.
15
RSAEvent Source
16
Microsoft Windows Release Notes (20120328-170659) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
17
RSAEvent Source
Microsoft Windows Release Notes (20120305-123706) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
18
Microsoft Windows Release Notes (20120201-163743) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
19
RSAEvent Source
Microsoft Windows Release Notes (20120105-082058) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Microsoft Windows Release Notes (20111205-083318) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Old Report Name Computer Account Changes - Windows Server 2003 User Group Account Changes - Windows Server 2003 Trusted Domain Changes - Windows Server 2003 User Rights Changes - Windows Server 2003 Computers Added/Removed from Domain Applications by Users - Windows Server 2003
Content 2.0 Report Name Computer Account Changes User Group Account Changes Trusted Domain Changes User Rights Changes Computer Account Added/Removed Applications by Users
20
Microsoft Windows Release Notes (20110817-133744) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
21
RSAEvent Source
Microsoft Windows Release Notes (20110623-133824) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Microsoft Windows Release Notes (20110526-152046) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
22
23