Juniper Secure Analytics

Similar documents
Juniper Secure Analytics

Juniper Secure Analytics

Juniper Secure Analytics Virtual Appliance Installation Guide

Junos Space. Reports. Release Published: Copyright 2014, Juniper Networks, Inc.

Junos Pulse Secure Access Service

IBM Security QRadar. WinCollect User Guide V7.2.7 IBM

STRM Series to JSA Series

Junos Pulse Secure Access Service

Virtual Route Reflector

CBA850 3G/4G/LTE Wireless WAN Bridge Application Guide

Subscriber Traffic Redirection

Service Now Getting Started Guide

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Junos Space Virtual Appliance Installation and Configuration Guide

Juniper Secure Analytics Patch Release Notes

Mac OS X Quick Start Guide

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Junos Space Service Now Getting Started Guide

Junos Space Virtual Appliance Installation and Configuration Guide

Juniper Secure Analytics Patch Release Notes

WinCollect User Guide

Juniper Secure Analytics Patch Release Notes

Juniper Secure Analytics

Junos Space Virtual Appliance Installation and Configuration Guide

Web Device Manager Guide

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Juniper Secure Analytics Log Event Extended Format Guide

NSM Plug-In Users Guide

Juniper Secure Analytics

Flow Monitoring Feature Guide for EX9200 Switches

Junosphere. Connector Guide. Release 2.4. Published: Revision 4. Copyright 2012, Juniper Networks, Inc.

Third-Party Network Devices with Scripting Service in the SRC Network

Junos Space Network Management Platform

Juniper Secure Analytics Tuning Guide

Device Security Feature Guide for EX9200 Switches

Junos Pulse Access Control Service

Pulse Policy Secure. Getting Started Guide. Product Release 5.1. Document Revision 1.0 Published:

Pulse Policy Secure. Guest Access Solution Configuration Guide. Product Release 5.2. Document Revision 1.0 Published:

Juniper Extension Toolkit Applications Guide

Juniper Secure Analytics Patch Release Notes

Junos Space. Network Director API. Release 3.0. Modified: Copyright 2017, Juniper Networks, Inc.

vmx Getting Started Guide for Microsoft Azure Release 17.4 Modified: Copyright 2018, Juniper Networks, Inc.

JunosE Software for E Series Broadband Services Routers

Junos OS. NETCONF Java Toolkit Developer Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Juniper Extension Toolkit Applications Guide

Adaptive Log Exporter Users Guide

vmx Getting Started Guide for AWS Release 15.1F6 Modified: Copyright 2018, Juniper Networks, Inc.

Upgrading STRM to

NSM Plug-In Users Guide

Junos Snapshot Administrator in Python

Junos OS. J-Web User Guide for Security Devices. Modified: Copyright 2017, Juniper Networks, Inc.

Cloud CPE Centralized Deployment Model

Junos OS Radio-to-Router Protocols for Security Devices

Service Automation Monitoring and Troubleshooting

Junos OS. J-Web User Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Junos Pulse. Client Customization Developer Guide. Release 5.0. Published: Copyright 2013, Juniper Networks, Inc.

Junos Pulse Secure Access Service

Subscriber Management in a Wireless Roaming Environment

JunosE Software for E Series Broadband Services Routers

Junos OS. IDP Series Appliance to SRX Series Services Gateway Migration Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Junos Space. Junos Space Frequently Asked Questions. Release Modified: Copyright 2016, Juniper Networks, Inc.

Junos Space. CLI Configlets. Release Modified: Copyright 2016, Juniper Networks, Inc.

Junos Space High Availability Deployment Guide

Cloud Analytics Engine Feature Guide for the QFX Series

Junos OS. Junos Telemetry Interface Feature Guide. Modified: Copyright 2017, Juniper Networks, Inc.

JUNOS OS. NETCONF XML Management Protocol Guide. Release Published: Copyright 2011, Juniper Networks, Inc.

Juniper Secure Analytics Configuring Offboard Storage Guide

vmx Getting Started Guide for AWS Release 17.2 Modified: Copyright 2018, Juniper Networks, Inc.

Offboard storage. Release Modified: Copyright 2016, Juniper Networks, Inc.

PCMM Devices in an SRC-Managed Network

Junos OS. Common Criteria Evaluation Configuration Guide for Devices Running Junos OS Release Releases 13.2X50-D19 and 13.

Junos OS. Unified Access Control Solution Guide for SRX Series Services Gateways. Release Junos Pulse Access Control Service 4.2/Junos OS 12.

JunosV App Engine. Administration Guide. Release Published: Copyright 2014, Juniper Networks, Inc.

STRM Administration Guide

EX2500 Ethernet Switch 3.1 Release Notes

Juniper Extension Toolkit Developer Guide

JUNOSPHERE RELEASE NOTES

Getting Started with NFX250 Network Services Platform

JUNOSPHERE RELEASE NOTES

High Availability Guide

Troubleshooting Guide

JunosE Software for E Series Broadband Services Routers

Security Certificates for the SRC Software

Junos OS. ICMP Router Discovery Protocol Feature Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Junos Space. Network Director API. Release 2.5. Modified: Copyright 2016, Juniper Networks, Inc.

Pulse Policy Secure. Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example. Product Release 5.2

Cloud Analytics Engine Compute Agent API Reference

Virtual Route Reflector

Junos OS. Layer 2 Bridging and Switching Configuration Guide for Security Devices. Release Published:

STRM Log Manager Administration Guide

UPGRADING STRM TO R1 PATCH

Interface and Subscriber Classification Scripts

Complete Hardware Guide for EX2200 Ethernet Switches

IDP Detector Engine Release Notes

EX2500 Ethernet Switch 3.0 Release Notes

Complete Hardware Guide for EX4200 Ethernet Switches

Network Configuration Example

Cisco TEO Adapter Guide for

Wireless LAN. SmartPass Quick Start Guide. Release 9.0. Published: Copyright 2013, Juniper Networks, Inc.

pronx Service Manager Installation and Administration Guide

Transcription:

Juniper Secure Analytics WinCollect User Guide Release 2014.4 Published: 2015-02-23

Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Juniper Secure Analytics WinCollect User Guide All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

Table of Contents About the Documentation............................................ vii Documentation and Release Notes................................. vii Documentation Conventions...................................... vii Documentation Feedback......................................... ix Requesting Technical Support...................................... x Self-Help Online Tools and Resources............................ x Opening a Case with JTAC...................................... x Part 1 WinCollect User Guide Chapter 1 What is New in WinCollect 2014.4.................................... 3 New and Changed Features in WinCollect for Release 2014.4................. 3 WinCollect installation and update.................................. 3 Chapter 2 WinCollect Overview............................................... 5 Understanding WinCollect Overview.................................... 5 Distributed WinCollect Agent Installation Process...................... 6 Chapter 3 Installation Prerequisites for WinCollect.............................. 9 Prerequisites for WinCollect Installation.................................. 9 Distribution Options for WinCollect Agents............................ 9 System Performance and Deployment Strategies...................... 10 Communication Between WinCollect Agents and JSA Event Collector......... 11 WinCollect Agent Communication to JSA Console and Event Collectors.... 11 WinCollect Agents Remotely Polling Windows Event Sources............. 11 Hardware and Software Requirements for the WinCollect Host.............. 12 WinCollect Agent Installations and Events Per Second..................... 13 Prerequisites for Upgrading WinCollect Agents............................ 14 WinCollect and JSA Software Versions.............................. 14 Checking the Installed Version of the WinCollect Agent................. 14 Checking Minimum WinCollect Versions Before Upgrade Installations..... 14 Chapter 4 WinCollect Installations............................................ 17 Installing the WinCollect Agent RPM on JSA Appliances.................... 17 Creating an Authentication Token for WinCollect Agents.................... 18 Installing the WinCollect Agent on a WinCollect Host...................... 19 Installing a WinCollect Agent from the Command Prompt.................. 22 Uninstalling a WinCollect Agent from the Command Prompt................ 24 iii

WinCollect User Guide Chapter 5 Configuring WinCollect Agents After Installation...................... 27 Manually Adding a WinCollect Agent................................... 27 Deleting a WinCollect Agent.......................................... 29 WinCollect Destinations............................................. 29 Adding a Destination............................................ 30 Deleting a Destination from WinCollect............................. 30 Scheduling Event Forwarding and Event Storage for WinCollect Agent..... 31 Configuration Options for Systems with Restricted Policies for Domain Controller Credentials.................................................... 32 Local Installations with no Remote Polling........................... 32 Configuring Access to the Registry for Remote Polling.................. 32 Windows Event Subscriptions for WinCollect Agents................... 33 Chapter 6 WinCollect Configuration Console for Stand-alone Agents............. 35 Installing a WinCollect Configuration Console............................ 35 Configuring the WinCollect Configuration Console........................ 36 Chapter 7 Log Sources for WinCollect Agents.................................. 39 Common WinCollect Log Source Parameters............................ 39 Adding a Log Source to a WinCollect Agent.............................. 42 Microsoft DHCP Log Source Configuration Options........................ 43 Microsoft IAS Log Source Configuration Options.......................... 43 Microsoft ISA Log Configuration Options................................ 44 Juniper Steel-Belted Radius Log Source Configuration Options.............. 45 File Forwarder Log Source Configuration Options......................... 46 Microsoft SQL Server Log Source Configuration Options.................... 47 NetApp Data ONTAP Configuration Options............................. 49 XPath Log Source Configuration Options................................ 49 XPath Queries..................................................... 50 Adding Multiple Log Sources.......................................... 55 Chapter 8 XPath Queries.................................................... 57 Enabling Remote Log Management on Windows 7........................ 57 Enabling Remote Log Management on Windows 2008.................... 58 Enabling Remote Log Management on Windows 2008R2.................. 58 Creating a Custom View............................................. 59 XPath Log Source Configuration Options................................ 60 XPath Query Examples............................................... 61 Part 2 Index Index......................................................... 67 iv

List of Tables About the Documentation.......................................... vii Table 1: Notice Icons................................................. viii Table 2: Text and Syntax Conventions................................... viii Part 1 WinCollect User Guide Chapter 3 Installation Prerequisites for WinCollect.............................. 9 Table 3: Port Usage for WinCollect Remote Polling......................... 11 Table 4: Hardware Requirements for WinCollect........................... 12 Table 5: Software Requirements....................................... 13 Table 6: EPS Rates in a Test Environment................................ 13 Chapter 4 WinCollect Installations............................................ 17 Table 7: Add Authorized Services parameters............................. 19 Table 8: WinCollect Installation Wizard Parameters....................... 20 Table 9: Silent Installation Options for WinCollect Agents................... 22 Table 10: Log Source Creation Options.................................. 23 Chapter 5 Configuring WinCollect Agents After Installation...................... 27 Table 11: WinCollect Agent Parameters.................................. 28 Table 12: Destination Parameters...................................... 30 Chapter 7 Log Sources for WinCollect Agents.................................. 39 Table 13: Common WinCollect Log Source Parameters..................... 40 Table 14: Microsoft DHCP Protocol Parameters........................... 43 Table 15: Microsoft IAS Protocol Parameters............................. 44 Table 16: WinCollect Microsoft DHCP Protocol Parameters................. 44 Table 17: WinCollect Juniper Steel-Belted Radius Protocol Parameters........ 46 Table 18: File Forwarder Protocol Parameters............................ 46 Table 19: Microsoft SQL Server Protocol Parameters....................... 48 Table 20: WinCollect NetApp Data ONTAP Protocol Parameters............. 49 Table 21: Microsoft SQL Server Protocol Parameters....................... 50 Table 22: Event IDs Used in Credential Logon Example..................... 54 Table 23: Event IDs Used in Database Example........................... 54 Chapter 8 XPath Queries.................................................... 57 Table 24: Microsoft SQL Server Protocol Parameters...................... 60 Table 25: Event IDs Used in Credential Logon Example..................... 62 Table 26: Event IDs Used in Database Example........................... 62 v

WinCollect User Guide vi

About the Documentation Documentation and Release Notes Documentation and Release Notes on page vii Documentation Conventions on page vii Documentation Feedback on page ix Requesting Technical Support on page x Documentation Conventions To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/. If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books. Table 1 on page viii defines notice icons used in this guide. vii

WinCollect User Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Tip Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Table 2: Text and Syntax Conventions Table 2 on page viii defines the text and syntax conventions used in this guide. Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Configure the machine s domain name: [edit] root@# set system domain-name domain-name viii

About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples Text like this Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system On any page at the Juniper Networks Technical Documentation site at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at https://www.juniper.net/cgi-bin/docbugreport/. ix

WinCollect User Guide E-mail Send your comments to techpubs-comments@juniper.net. Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. Product warranties For product warranty information, visit http://www.juniper.net/support/warranty/. JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/infocenter/ Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/serialnumberentitlementsearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at http://www.juniper.net/cm/. Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). x

About the Documentation For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html. xi

WinCollect User Guide xii

PART 1 WinCollect User Guide This chapter describes about the following sections: What is New in WinCollect 2014.4 on page 3 WinCollect Overview on page 5 Installation Prerequisites for WinCollect on page 9 WinCollect Installations on page 17 Configuring WinCollect Agents After Installation on page 27 WinCollect Configuration Console for Stand-alone Agents on page 35 Log Sources for WinCollect Agents on page 39 XPath Queries on page 57 1

WinCollect User Guide 2

CHAPTER 1 What is New in WinCollect 2014.4 New and Changed Features in WinCollect for Release 2014.4 on page 3 New and Changed Features in WinCollect for Release 2014.4 WinCollect 2014.4 includes a simplified installation and upgrade procedure. WinCollect installation and update Before you upgrade WinCollect agents, ensure that your software meets the version requirements. For more information, see Prerequisites for WinCollect Installation on page 9. Related Documentation Understanding WinCollect Overview on page 5 Communication Between WinCollect Agents and JSA Event Collector on page 11 WinCollect Agent Installations and Events Per Second on page 13 3

WinCollect User Guide 4

CHAPTER 2 WinCollect Overview Understanding WinCollect Overview Understanding WinCollect Overview on page 5 WinCollect is an agent that collects Windows-based events from local or remote Windows-based systems and sends them to Juniper Secure Analytics (JSA). WinCollect is an application that collects events by running as a service on a Windows system. The WinCollect agent can also collect events from other Windows servers where the agent is not installed. WinCollect is centrally managed from the JSA user interface. Each WinCollect agent that is deployed in your network can collect and forward events to JSA console or Event Collector by using syslog. Figure 1 on page 5 shows two WinCollect agents, each communicating directly with the JSA console. Figure 1: Deployment of Multiple WinCollect Agents that Communicate with the JSA Console 5

WinCollect User Guide Figure 2 on page 6 shows three WinCollect agents. The agents collect events from Windows Servers and then forward the events to an Event Collector. Two of the WinCollect agents forward events to the same Event Collector. JSA console centrally manages the events from the Event Collectors. Figure 2: Deployment of Multiple WinCollect Agents that Communicate with Multiple Event Collectors Distributed WinCollect Agent Installation Process You can configure multiple WinCollect agents to communicate with an Event Collector that then sends the data to your JSA console. To install a distributed WinCollect agent deployment: 1. Install the WinCollect agent RPM on your JSA console. 2. Create an authorization token for your WinCollect agents. 3. Create destinations for WinCollect events in your deployment. 4. Install the WinCollect agent on your WinCollect hosts and set the Configuration console as the IP of your Event Collector. 5. Wait for JSA to automatically discover your WinCollect agents. Open ports are required for data communication between WinCollect agents and the JSA host, and between WinCollect agents and the hosts that they remotely poll. For more information, see Communication Between WinCollect Agents and JSA Event Collector on page 11. 6

Chapter 2: WinCollect Overview You can install the WinCollect agents on Windows-based hosts in your network. The WinCollect agent collects Windows-based events and sends them to your JSA console or JSA Event Collector. For more information, see Installing the WinCollect Agent on a WinCollect Host on page 19. Related Documentation New and Changed Features in WinCollect for Release 2014.3 on page 3 Prerequisites for WinCollect Installation on page 9 Communication Between WinCollect Agents and JSA Event Collector on page 11 7

WinCollect User Guide 8

CHAPTER 3 Installation Prerequisites for WinCollect Prerequisites for WinCollect Installation on page 9 Communication Between WinCollect Agents and JSA Event Collector on page 11 Hardware and Software Requirements for the WinCollect Host on page 12 WinCollect Agent Installations and Events Per Second on page 13 Prerequisites for Upgrading WinCollect Agents on page 14 Prerequisites for WinCollect Installation Before you can install WinCollect agents, you must verify that your deployment meets the installation requirements. Distribution Options for WinCollect Agents WinCollect agents can be distributed in a remote collection configuration or installed on the local host. The following WinCollect collection methods are available: local and remote. Local Collection The WinCollect agent collects events only for the host on which it is installed. You can use this collection method on a Windows host that is busy or has limited resources, for example, domain controllers. Figure 3 on page 10 describes the local collection method for WinCollect agents. 9

WinCollect User Guide Figure 3: Local Collection for WinCollect Agents Remote Collection The WinCollect agent is installed on a single host and collects events from multiple Windows systems. Use remote collection to easily scale the number of Windows log sources that you can monitor. Figure 4 on page 10 describes the remote collection method for WinCollect agents. Figure 4: Remote Collection for WinCollect Agents System Performance and Deployment Strategies Use the following strategies to reduce the impact to system performance: To reduce the total number of agents, use remote collection where one agent monitors many endpoints. If you update a group of WinCollect agents, do it during off-peak operating hours. Deploy and manage the WinCollect agents in groups of 100 and monitor system performance for issues. 10

Chapter 3: Installation Prerequisites for WinCollect Related Documentation New and Changed Features in WinCollect for Release 2014.3 on page 3 Understanding WinCollect Overview on page 5 Communication Between WinCollect Agents and JSA Event Collector on page 11 Communication Between WinCollect Agents and JSA Event Collector Open ports are required for data communication between WinCollect agents and the Juniper Secure Analytics (JSA) host, and between WinCollect agents and the hosts that they remotely poll. WinCollect Agent Communication to JSA Console and Event Collectors All WinCollect agents communicate with the JSA console and Event Collectors to forward events to JSA and request updated information. You must ensure firewalls that are between the JSA Event Collectors and your WinCollect agents allow traffic on the following ports: Port 8413 This port is required for managing the WinCollect agents. Port 8413 is used for features such as configuration updates. Traffic is always initiated from the WinCollect agent. This traffic is sent over TCP and communication is encrypted. Port 514 This port is used by the WinCollect agent to forward syslog events to JSA. You can configure WinCollect log sources to provide events by using TCP or UDP. You can decide which transmission protocol is required for each WinCollect log source. Port 514 traffic is always initiated from the WinCollect agent. WinCollect Agents Remotely Polling Windows Event Sources WinCollect agents that remotely poll other Windows operating systems for events that include extra port requirements. Table 3 on page 11 describes the ports that used when WinCollect agents remotely poll for Windows-based events. Table 3: Port Usage for WinCollect Remote Polling Port Protocol Usage 135 TCP Microsoft Endpoint Mapper 137 UDP NetBIOS name service 138 UDP NetBIOS datagram service 139 TCP NetBIOS session service 445 TCP Microsoft Directory Services for file transfers that use Windows share 11

WinCollect User Guide Collecting events by polling remote Windows systems uses dynamic RPC. To use dynamic RPC, you must allow inbound traffic to the Windows system that WinCollect attempts to poll for events on port 135. Port 135 is used for Endpoint Mapping by Windows. If you remotely poll any Windows operating system other than the Windows Vista operating system, you might need to allow ports in the range between 1024 and port 5000. You can configure Windows to restrict the communication to specific ports for the older versions of Windows Firewall, for example Windows XP. For more information, see your Windows documentation. Related Documentation New and Changed Features in WinCollect for Release 2014.3 on page 3 Understanding WinCollect Overview on page 5 Communication Between WinCollect Agents and JSA Event Collector on page 11 Hardware and Software Requirements for the WinCollect Host Ensure that the Windows-based computer that hosts the WinCollect agent meets the minimum hardware and software requirements. Table 4 on page 12 describes the minimum hardware requirements. Table 4: Hardware Requirements for WinCollect Requirement Description Memory 8 GB 2 GB reserved for the WinCollect agent. Processing Intel Core 2 Duo processor 2.0 GHz Disk space 3 GB of available disk space for software and log files. 6 GB might be required if events are stored on a schedule. Available processor resources 20% Table 5 on page 13 describes the supported software. 12

Chapter 3: Installation Prerequisites for WinCollect Table 5: Software Requirements Requirement Description Operating system Windows Server 2003 Windows Server 2008 Windows Server 2008R2 Windows Server 2012 Windows 7 Windows Vista Windows XP Required user role permissions Administrator Distribution One WinCollect agent for each host. To tune your installation to improve the performance of a single WinCollect agent, contact Juniper Customer Support. Related Documentation New and Changed Features in WinCollect for Release 2014.3 on page 3 Understanding WinCollect Overview on page 5 WinCollect Agent Installations and Events Per Second on page 13 WinCollect Agent Installations and Events Per Second Before you install your WinCollect agents, it is important to understand the number of events that can be collected by a WinCollect agent. The event per second (EPS) rates in the following table represent a test network. This information can help you determine the number of WinCollect agents that you need to install on your network. WinCollect supports default EPS rates and also supports tuning. Tuning can help you to improve the performance of a single WinCollect agent. You can tune local collection as part of the agent installation. Improving the performance of existing installations and remote collection must be done with the help of Juniper Customer Support. Exceeding these EPS rates without tuning can cause you to experience performance issues or event loss, especially on busy systems. Table 6 on page 13 describes the default EPS rate in the test environment. Table 6: EPS Rates in a Test Environment Installation Type Tuning EPS Log Sources Total Events Per Second (EPS) Local Collection Default 250 1 250 13

WinCollect User Guide Table 6: EPS Rates in a Test Environment (continued) Installation Type Tuning EPS Log Sources Total Events Per Second (EPS) Local Collection Tuned 5000 1 5000 Remote Collection Default 5-10 500 2500 Remote Collection Tuned varies varies 2500+ Tuning an agent to increase the EPS rates for remote event collection depends on your network, the number of log sources that you assign to the agent, and the number of events that are generated by each log source. Related Documentation New and Changed Features in WinCollect for Release 2014.3 on page 3 Understanding WinCollect Overview on page 5 Hardware and Software Requirements for the WinCollect Host on page 12 Prerequisites for Upgrading WinCollect Agents Before you upgrade WinCollect agents, ensure that your software meets the version requirements. WinCollect and JSA Software Versions The version of the installed WinCollect depends on the version of Juniper Secure Analytics (JSA) that you are running. If you are running JSA 2013.2 or later, ensure that WinCollect agent 7.1.0-QRADAR-AGENT-WINCOLLECT-7.1-613263 is installed. If you are running 2014.1 or later, ensure that WinCollect agent 7.2.0-QRADAR-AGENT-WINCOLLECT-7.2-613265 is installed. Checking the Installed Version of the WinCollect Agent You can check the version of the installed WinCollect agent by using one of the following methods: In JSA, select Help > About Select the Additional Release Information link. You can also use ssh to log in to the JSA console, and run the following command: rpm -qa grep -i AGENT-WINCOLLECT Checking Minimum WinCollect Versions Before Upgrade Installations Before you install the new WinCollect agent, open the WinCollect pane in the Admin tab, and ensure that all WinCollect agents are listed as version 2013.2. 14

Chapter 3: Installation Prerequisites for WinCollect If you installed AGENT-WINCOLLECT-7.1-613263 or AGENT-WINCOLLECT-7.2-613265, but one or more agents are still listed as version 2013.1, ensure that you wait for the 2013.2 update to be replicated to the agents. The time that you wait depends on what you previously configured for the Configuration Poll Interval in the WinCollect Agent Configuration pane. Related Documentation New and Changed Features in WinCollect for Release 2014.3 on page 3 Understanding WinCollect Overview on page 5 Hardware and Software Requirements for the WinCollect Host on page 12 15

WinCollect User Guide 16

CHAPTER 4 WinCollect Installations To install WinCollect, you must download and install a WinCollect agent RPM, create an authentication token, and then install a WinCollect agent. Install the WinCollect agent on each Windows-based host from which you want to collect events or on the host that you want to use for remote collection. First-time installations require that you install both the WinCollect agent RPM and the WinCollect agent program (.exe) Upgrades require that you install only the WinCollect agent RPM. If automatic updates are enabled, the WinCollect agent RPM sends updates to all of the WinCollect agents. Installing the WinCollect Agent RPM on JSA Appliances on page 17 Creating an Authentication Token for WinCollect Agents on page 18 Installing the WinCollect Agent on a WinCollect Host on page 19 Installing a WinCollect Agent from the Command Prompt on page 22 Uninstalling a WinCollect Agent from the Command Prompt on page 24 Installing the WinCollect Agent RPM on JSA Appliances To use the Juniper Secure Analytics (JSA) user interface to manage a distributed deployment of WinCollect agents, you must install the WinCollect agent RPM on your JSA console. This agent includes the required protocol to enable communication between the JSA system and the managed WinCollect hosts. To install the WinCollect agent RPM on JSA appliances: 1. Download the WinCollect agent RPM file from the Juniper Customer Support website: (www.juniper.net/support/). 2. Copy the installation file to your JSA system. 3. Log in to JSA as the root user. 4. For initial installations, create the /media/patch directory. Type the following command: mkdir /media/patch 5. To mount the installation file, type the following command: mount -t squashfs -o loop Installer_file_name.sfs /media/patch Example: 17

WinCollect User Guide mount -t squashfs -o loop 720_QRadar_wincollectupdate-7.2.0.xxx.sfs /media/patch 6. To change to the /media/patch, type the following command: cd /media/patch 7. To install WinCollect, type the following command and then follow the prompts:./installer 8. Optional: If you are performing a WinCollect upgrade, push the upgrade to the managed WinCollect Agent hosts. Complete the following steps: a. Log in to JSA. b. On the navigation menu, click Data Sources. c. Click the WinCollect icon. d. Click Agents. e. Select the WinCollect agent that you want to update in your deployment. f. If the agent is disabled, click Enable/Disable Automatic Updates. Results WinCollect agents that are enabled for automatic updates are updated and restarted. The amount of time it takes an agent to update depends on the configuration polling interval for the WinCollect agent. Install the WinCollect agent on each Windows host from which you want to collect events in your network. The WinCollect agent can be configured to collect events on local host or from a remote server, or both. For more information, see Installing the WinCollect Agent on a WinCollect Host on page 19. For non-interactive installations, you can install the WinCollect agent from the command prompt. Use silent installations to deploy WinCollect agents simultaneously to multiple remote systems. The installations use third-party products, remote, or batch installations. For more information, see Installing a WinCollect Agent from the Command Prompt on page 22. Related Documentation New and Changed Features in WinCollect for Release 2014.3 on page 3 Understanding WinCollect Overview on page 5 Hardware and Software Requirements for the WinCollect Host on page 12 Creating an Authentication Token for WinCollect Agents Third-party or external applications that interact with Juniper Secure Analytics (JSA) require an authentication token. Before you install WinCollect agents in your network, you must create an authentication token. This authentication token is required for every WinCollect agent you install. The authentication token allows WinCollect agents to exchange data with JSA appliances. Create one authentication token for all of your WinCollect agents that communicate 18

Chapter 4: WinCollect Installations events with your JSA host. If the authentication token expires, the WinCollect agent cannot receive log source configuration changes. Procedure 1. Click the Admin tab. 2. On the navigation menu, click System Configuration. 3. Click the Authorized Services icon. 4. Click Add Authorized Service. 5. In the Manage Authorized Services window, configure the parameters as described in Table 7 on page 19. Table 7: Add Authorized Services parameters Parameter Description Service Name The name can be up to 255 characters in length, for example, WinCollect Agent. User Role Administrators can create a user role or assign a default user role to the authorization token. For most configurations, the All user role can be selected. NOTE: The admin user role provides more privileges, which can create a security concern. 6. Click Create Service. 7. Record the token value. Related Documentation Understanding WinCollect Overview on page 5 Hardware and Software Requirements for the WinCollect Host on page 12 Installing the WinCollect Agent RPM on JSA Appliances on page 17 Installing the WinCollect Agent on a WinCollect Host You can install the WinCollect agents on Windows-based hosts in your network. The WinCollect agent collects Windows-based events and sends them to your Juniper Secure Analytics (JSA) console or JSA Event Collector. Before you begin When you install the WinCollect agent on a WinCollect host, you can now configure the agent to automatically create a log source in JSA. The log source is created when the agent first registers with JSA. This log source will collect the configured Windows event log types from the Windows server where the agent is installed. This feature eliminates the need to set up a local log source for each agent that is installed. Your JSA system must be updated to 2014.1.r1.734536 or later. Ensure that the following conditions are met: 19

WinCollect User Guide You created an authentication token for the WinCollect agent. For more information, see Creating an Authentication Token for WinCollect Agents on page 18. Your system meets the hardware and software requirements. For more information, see Hardware and Software Requirements for the WinCollect Host on page 12. The required ports are available to WinCollect agents to communicate with JSA Event Collectors. For more information, see Communication Between WinCollect Agents and JSA Event Collector on page 11. If you want to automatically create a log source for this agent, you must know the name of the destination that you want to send your Windows log source to. During the installation, you can configure JSA to automatically create a log source the WinCollect agent host. You must configure a forwarding destination host for the log source data. For more information, see Adding a Destination on page 30. The WinCollect agent sends the Windows event logs to the configured destination. The destination can be the console or an Event Collector. To configure automatic log source creation, your JSA system must be updated to JSA 2014.1.r1.734536 or later. Procedure To install the WinCollect agent on a WinCollect host: 1. Download the WinCollect agent setup file from the Juniper Customer Support website (www.juniper.net/support/). NOTE: If the Services window is open on the Windows host, close it. If the Services window is open, the WinCollect agent installation will fail. 2. Right-click the WinCollect agent installation file and select Run as administrator. 3. Follow the prompts in the installation wizard. Table 8 on page 20 describes the prompts in the installation wizard: Table 8: WinCollect Installation Wizard Parameters Parameter Description Host Identifier Required. You must use a unique identifier for each WinCollect agent you install. The name you type in this field is displayed in the WinCollect agent list of the JSA console. Authentication Token Required. The authentication token that you created in JSA, for example, af111ff6-4f30-11eb- 11fb-1fc117711111. 20

Chapter 4: WinCollect Installations Table 8: WinCollect Installation Wizard Parameters (continued) Parameter Description Configuration console (host and port) Required for all installations, except standalone mode. Leave blank for standalone mode installations. The IP address or host name of your JSA console, for example, 100.10.10.1 or myhost This parameter is for the JSA console or Event Collector. To use an Event Collector as your Configuration console, your JSA system must be updated to 2014.1.r2.794843 or later. Enable Automatic Log Source Creation If this check box is enabled, you must provide information about the log source and the target destination. Log Source Name The name can be up to 255 characters in length. Log Source Identifier Required if the Enable Automatic Log Source Creation checkbox is selected. Identifies the remote device that the WinCollect agent polls. StatusServer The address of the machine to which the status events are sent. If no value is provides, the Configuration Server is used. If both values are empty, no status messages are sent. Event Logs The Window event logs that you want the log source to collect and send to JSA. Target Destination Required if Automatic Log Source Creation is enabled. The WinCollect destination must be configured in JSA before you continue entering information in the installation wizard. Machine poll interval (msec) The polling interval that determines the number of milliseconds between queries to the Windows host. Use a polling interval of 3500 when the WinCollect agent collects events from computers that have a low event per second rate, for example, collecting from 50 remote computers that provide 20 events per second or less. Use a polling interval of 1000 when the WinCollect agent collects events from a few remote computers that have a high event per second rate, for example, collecting from 10 remote computers that provide 100 events per second or less. The minimum polling interval is 100 milliseconds (.1 seconds). The default is 3000 milliseconds or 3 seconds. Minimum number of logs to process per pass Contact Juniper Customer Support before change these values. Maximum number of logs to process per pass Contact Juniper Customer Support before you change these values. If you delete your WinCollect agent, you can manually add it back. To reconnect to an existing WinCollect agent, the host name must exactly match the host name that you used before you deleted the agent. For more information, see Manually Adding a WinCollect Agent on page 27. Related Documentation Understanding WinCollect Overview on page 5 Hardware and Software Requirements for the WinCollect Host on page 12 21

WinCollect User Guide Installing the WinCollect Agent RPM on JSA Appliances on page 17 Installing a WinCollect Agent from the Command Prompt For non-interactive installations, you can install the WinCollect agent from the command prompt. Use silent installations to deploy WinCollect agents simultaneously to multiple remote systems. The installations use third-party products, remote, or batch installations. About this task Table 9 on page 22 describes the WinCollect installer command options. Table 9: Silent Installation Options for WinCollect Agents Option Description /qn Runs the WinCollect agent installation in silent mode. INSTALLDIR The name of the installation directory cannot contain spaces. Use quotation marks, ", to enclose the directory, for example, NSTALLDIR= C:\IBM\WinCollect\ AUTHTOKEN=token Authorizes the WinCollect service, for example, AUTH_TOKEN=af111ff6-4f30-11eb- 11fb-1fc1 17711111 HOSTNAME=host name The IP address or host name of the WinCollect agent host cannot contain the "at" sign, @. FULLCONSOLEADRESS=host_address The IP address or host name of your JSA console or Event Collector, for example, FULLCONSOLEADRESS=100.10.10.1. Your JSA system must be updated to 2014.1.r2.794843 or later. LOG_SOURCE_AUTO_CREATION If you enable this option, you must configure the log source parameters. Requires that your JSA system is updated to 2014.1.r1.734536 or later. STATUSSERVER Optional. Specifies the server where the status messages from the agent are sent. Example: STATUSSERVER="100.10.10.255" STATUSSERVER="%COMPUTERNAME%" LOG_SOURCE_AUTO_CREATION_ PARAMETERS Ensure that each parameter uses the format: Parameter_Name=value. The parameters are separated with ampersands, &. Your JSA system must be updated to 2014.1.r1.734536 or later. Table 10 on page 23 describes the WinCollect installer command options. 22

Chapter 4: WinCollect Installations Table 10: Log Source Creation Options Option Description Component1.AgentDevice Required. Must be DeviceWindowsLog. Component1.Action Required. Must becreate. Component1.LogSourceName Not required. The name of the log source that is created. The default is WindowsAuthServer @<LogSourceIdentifier> Component1.LogSourceIdentifier Required. Must be the IP or host name of the system that the agent is installed on. Component1.Destination.Name Required if Component1.Destination.Id is not set. Component1.CoalesceEvents Not required. True or False. For more information, see the Log Sources User Guide. Component1.StoreEventPayload Not required. True or False. For more information, see the Log Sources User Guide. Component1.Encoding Not required. The default character encoding is UTF-8. Component1.Log.Application Required Component1.Log.Security Required Component1.Log.System Required Component1.Log.DNS+Server Required Component1.Log.Directory+Service Required Component1.Log.File+Replication+Service Required Procedure To install a WinCollect agent from the command prompt: 1. Download the WinCollect agent setup file from the Juniper Customer Support website (www.juniper.net/support/). 2. From the desktop, select Start > Run, type cmd, and click OK. 3. Ensure that the Services window is closed on the Windows host, otherwise the WinCollect agent installation will fail. 23

WinCollect User Guide 4. Type the following command: AGENT-WinCollect-7.2.0.<build>-setup.exe /s /v"/qn INSTALLDIR=< C:\IBM\WinCollect"> AUTHTOKEN=<token> FULLCONSOLEADRESS=<host_address> HOSTNAME=<hostname> LOG_SOURCE_AUTO_CREATION=<true false> LOG_SOURCE_AUTO_CREATION_PARAMETERS=< parameters > The following example shows an installation where the log source is automatically created. AGENT-WinCollect-<version>-setup.exe /s /v"/qn INSTALLDIR="C:\IBM\WinCollect" AUTHTOKEN=eb59386c-e098-49b8-ba40-6fb46bfe7d1 FULLCONSOLEADDRESS=100.10.10.1:8413 HOSTNAME=my_host LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS= ""Component1.AgentDevice= DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName= LSN2&Component1.LogSourceIdentifier= 100.10.12.1>&Component1.Destination.Name=Dest1&Component1.CoalesceEvents= True&Component1.StoreEventPayload=True&Component1. Encoding=UTF-8&Component1.Log.Application=True&Component1.Log.Security= True&Component1.Log.System=True&Component1.Log.DNS+Server= False&Component1.Log.Directory+Service= False&Component1.Log.FileReplication+Service=False""" The following example shows an installation where automatic log creation is not used: AGENT-WinCollect-<version>-setup.exe /s /v"/qn INSTALLDIR="C:\IBM\WinCollect" AUTHTOKEN=eb59386c-e098-49b8-ba40-6fb46bfe7d1 FULLCONSOLEADDRESS=100.10.10.1 HOSTNAME=my_host 5. Press Enter. If you delete your WinCollect agent, you can manually add it back. To reconnect to an existing WinCollect agent, the host name must exactly match the host name that you used before you deleted the agent. For more information, see Manually Adding a WinCollect Agent on page 27. Related Documentation Understanding WinCollect Overview on page 5 Hardware and Software Requirements for the WinCollect Host on page 12 Installing the WinCollect Agent on a WinCollect Host on page 19 Uninstalling a WinCollect Agent from the Command Prompt You can uninstall the WinCollect agent from the command prompt. Procedure To Uninstall a WinCollect Agent from the Command Prompt: 1. From the desktop, select Start > Run, type cmd, and click OK. NOTE: You need to run the command prompt as an administrative user. 2. Type the following command: 24

Chapter 4: WinCollect Installations msiexec /x{1e933549-2407-4a06-8ec5-83313513ae4b} /norestart /qn 3. Press Enter. Related Documentation Understanding WinCollect Overview on page 5 Hardware and Software Requirements for the WinCollect Host on page 12 Installing the WinCollect Agent on a WinCollect Host on page 19 25

WinCollect User Guide 26

CHAPTER 5 Configuring WinCollect Agents After Installation After you install a WinCollect deployment, you manage your deployment by using the Juniper Secure Analytics (JSA). You can manage your WinCollect agents, destinations, and schedules. You can also manage configuration options for systems with restricted policies. The WinCollect agent is responsible for communicating with the individual log sources, parsing events, and forwarding the event information to JSA by using syslog. After you install the WinCollect agent on your Windows host, wait for JSA to automatically discover the WinCollect agent. The automatic discovery process typically takes a few minutes to complete. NOTE: The registration request to the JSA host might be blocked by firewalls in your network. Manually Adding a WinCollect Agent Manually Adding a WinCollect Agent on page 27 Deleting a WinCollect Agent on page 29 WinCollect Destinations on page 29 Configuration Options for Systems with Restricted Policies for Domain Controller Credentials on page 32 If you delete your WinCollect agent, you can manually add it back. To reconnect to an existing WinCollect agent, the host name must exactly match the host name that you used before you deleted the agent. When you delete a WinCollect agent, the Juniper Secure Analytics (JSA) console removes the agent from the agent list and disables all of the log sources that are managed by the deleted WinCollect agent. 27

WinCollect User Guide WinCollect agents that were previously automatically discovered are not rediscovered in WinCollect. To add a deleted WinCollect agent back to the agent list in the JSA, you must manually add the deleted agent. For example, you delete a WinCollect agent that has a host identifier name VMRack1. You reinstall the agent and use the same host identifier name, VMRack1. The WinCollect agent does not automatically discover the WinCollect agent. To add WinCollect agent manually: 1. Click the Admin tab. 2. On the navigation menu, click Data Sources. 3. Click Agents. 4. Click Add. 5. Configure the parameters. Table 11 on page 28 describes WinCollect agent parameters. Table 11: WinCollect Agent Parameters Parameter Description Description Optional. If you specified an IP address as the name of the WinCollect agent, add descriptive text to identify the WinCollect agent or the log sources the WinCollect agent is managing. Automatic Updates Enabled Controls whether configuration updates are sent to the WinCollect agent. Heart Beat Interval This option defines how often the WinCollect agent communicates its status to the JSA console. The interval ranges from 0 seconds (Off) to 20 minutes. Configuration Poll Interval Defines how often the WinCollect agent polls the JSA console for updated log source configuration information or agent software updates. The interval ranges from 0 minutes (Off) to 20 minutes. Disk Cache Capacity (MB) Used to buffer events to disk when your event rate exceeds the event throttle or when the WinCollect agent is disconnected from the console. 6 GB might be required when events are stored on a schedule. Disk Cache Root Directory The directory where the WinCollect agent stores cached WinCollect events. 6. Click Save. 7. On the Admin tab, click Deploy Changes. The WinCollect agent is added to the agent list. When you delete a WinCollect agent, the JSA console removes the agent from the agent list and disables all of the log sources that are managed by the deleted WinCollect agent. For more information, see Deleting a WinCollect Agent on page 29. 28

Chapter 5: Configuring WinCollect Agents After Installation Related Documentation Hardware and Software Requirements for the WinCollect Host on page 12 Installing the WinCollect Agent on a WinCollect Host on page 19 Installing a WinCollect Agent from the Command Prompt on page 22 Deleting a WinCollect Agent When you delete a WinCollect agent, the Juniper Secure Analytics (JSA) console removes the agent from the agent list and disables all of the log sources that are managed by the deleted WinCollect agent. To delete WinCollect agent: 1. Click the Admin tab. 2. On the navigation menu, click Data Sources. 3. Click the WinCollect icon. 4. Select the agents that you want to delete and click Delete. 5. Click Save. 6. On the Admin tab, click Deploy Changes. TIP: To delete multiple WinCollect agents, press Ctrl to select multiple agents, and then click Delete. Related tasks: If you delete your WinCollect agent, you can manually add it back. To reconnect to an existing WinCollect agent, the host name must exactly match the host name that you used before you deleted the agent. For more information, see Manually Adding a WinCollect Agent on page 27. Related Documentation Hardware and Software Requirements for the WinCollect Host on page 12 Installing the WinCollect Agent on a WinCollect Host on page 19 Manually Adding a WinCollect Agent on page 27 WinCollect Destinations WinCollect destinations define the parameters for how the WinCollect agent forwards events to the Event Collector or Juniper Secure Analytics (JSA) console. Adding a Destination on page 30 Deleting a Destination from WinCollect on page 30 Scheduling Event Forwarding and Event Storage for WinCollect Agent on page 31 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback