Transcription

Using Windows Event Forwardingwith the Windows Unified ConnectorSteve Maxwell, Solutions Architect#HPProtect Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Agenda What is Windows Event Forwarding? How does HP ArcSight work with WindowsEvent Forwarding? Benefits Tips & tricks3 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What is Windows EventForwarding? Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What is Windows Event Forwarding? Centralized Windows event collection– Collect events from Windows systems and store them centrally Introduced in Windows Server 2008 and Windows Vista– Built-in support in Windows Server 2008 and Windows Vista – Add-on support in Windows Server 2003 and Windows XP Uses Windows Remote Management 1.1 or later– Microsoft implementation of the WS-Management protocol5 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Microsoft terminology Event Collector– Where events from Sources are centrally forwarded to and stored Event Source– Where events are generated6 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Platforms – Event Collector Windows Server 2008/2012– Microsoft Recommended Platforms Windows 7/8 Windows Vista7 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Platforms – Event Source 8Windows Server 2008/2012Windows 7/8Windows VistaWindows Server 2003 SP1 Windows XP SP2 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Subscription 9What events do I want to collect?What systems do I want to collect from?What event log do I want to forward the collected events to?Collector or Source initiated?Advanced Subscription Settings Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Collector initiated10 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Source initiated11 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

12 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

13 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

14 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

How does HP ArcSight work withWindows Event Forwarding? Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Acronyms used in this presentation Windows Unified Connector– WUC Windows Event Forwarding– WEF16 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

SmartConnector Support for WEF added to the WUC– SmartConnector 6.0.6.6865 released on September 30, 2013 Microsoft Windows Event Log – Unified– Forwarded Events Collection Disabled Enabled (use AD for sources) Enabled (do not use AD for sources)– Custom Log Names HardwareEvents is Supported ForwardedEvents is not Supported (subscription default)17 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

WEF Log Forwarding – options WEF has a lot of granularity on where to forward Source logs to on the Collector– For example Sources/Application Logs Collector/Application Log Sources/System Logs Collector/System Log Sources/Application Logs Collector/System Log Sources/System Logs Collector/Application Log Sources/Security Logs Collector/HardwareEvents Log Sources/“Applications and Services Logs” Collector/System/Application/HardwareEvents Log18 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

WEF Log Forwarding – best practices Security logs– Sources/Security Logs Collector/HardwareEvents Log Source Security logs cannot be forwarded to the Collector Security log Application logs– Sources/Application Logs Collector/Application Log System logs– Sources/System Logs Collector/System Log19 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

20 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

21 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

22 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

23 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Windows OS Version WEF events can be from different Windows versions than the WEF Collector– For example: Collector is Windows Server 2008; Sources are Windows XP, Windows Server 2003 SmartConnector needs to know what OS in order to parse the events properly– It assumes Windows 2008 R2 by default Sources– Active Directory Enabled (use AD for sources)– sourcehosts.csv Enabled (do not use AD for sources)24 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Benefits Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Windows Event Forwarding 26Integrated and FreeSecure and ReliableFilteringMulti-TierGroup PolicyLaptops/Desktops– Source Initiated Subscription Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

SmartConnector 27FilteringAggregationCachingBatchingBandwidth ThrottlingTime CorrectionPlatforms– Windows– Linux/Unix– Connector Appliance/ArcMC Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Use both! The best of both worlds! Use both where/when appropriate28 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Tips & tricks Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Tips & tricks Lab Environment– Use a single virtual machine or physical server and forward the event logs locally Nested Event Logs– All logs under “Applications and Services Logs” in the Windows Event Viewer AppLocker, Windows Defender, etc.– We cannot collect these logs These are not supported by the WUC– Use WEF to forward these to the Application, System, or HardwareEvents log These are supported by the WUC EVENTCREATE– EVENTCREATE /T ERROR /ID 1000 /L APPLICATION /D "My custom error event for the application log“– EVENTCREATE /T ERROR /ID 1000 /L SYSTEM /D "My custom error event for the system log"30 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Please give me your feedbackSession TB3044Speaker Steve MaxwellUse the mobile app1. Click on Sessions2. Click on this session3. Click on Rate SessionOr use the hard copy surveysThank you for providing your feedback, whichhelps us enhance content for future events.31 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Centralized Windows event collection – Collect events from Windows systems and store them centrally Introduced in Windows Server 2008 and Windows Vista – Built-in support in Windows Server 2008 and Windows Vista – Add-on support in Windows Server 2003 and Windows XP Use