McAfee Enterprise Security Manager. Data Source Configuration Guide. Data Source: Microsoft Windows Event Log - WMI.

Similar documents
Arbor Networks Pravail

Barracuda Networks Spam Firewall

McAfee Next Generation Firewall (Stonesoft)

McAfee Enterprise Security Manager. Data Source Configuration Guide. Data Source: Verdasys Digital Guardian October 1, 2014

Dell (SonicWALL) SonicOS

McAfee Enterprise Security Manager. Data Source Configuration Guide. Bit9 Parity Suite. Data Source: February 4, Bit9 Parity Suite Page 1 of 8

McAfee Security Connected Integrating epo and MFECC

HPE IMC APM IIS Server Application Monitor Configuration Examples

McAfee Enterprise Security Manager. Authentication Content Pack Documentation

PROXY Pro Deployment Tool v10.0. User Guide October 2017

Grant Minimum Permission to an Active Directory User Account Used by the Sourcefire User Agent

McAfee Security Connected Integrating EPO and MAM

RSA NetWitness Logs. Airtight Management Console. Event Source Log Configuration Guide. Last Modified: Thursday, May 04, 2017

Oracle Enterprise Manager

MULTI FACTOR AUTHENTICATION USING THE NETOP PORTAL. 31 January 2017

System Monitoring Plug-in Installation Guide for Microsoft Internet Information Services Release 4 ( ) Versions Supported

Virtual Recovery Assistant user s guide

WMI log collection using a non-admin domain user

HPE Security ArcSight Connectors

Docusnap X - WMI Access Problems. Analysis and Troubleshooting

Importing Existing Data into LastPass

Deltek Costpoint New Installation Guide for Microsoft SQL Server

Automating Administration with Windows PowerShell

Purpose. Target Audience. Windows Machine Requirements. Windows Server Core (No Desktop) Nagios XI. Monitoring Windows Using WMI

Oracle Enterprise Manager. Description. Versions Supported

Microsoft Internet Information Services (IIS) Plug-in User s Guide Release

Control Wireless Networks

Remote Process Explorer

: 10961C: Automating Administration With Windows PowerShell

Product Page:

Monitoring Windows Systems with WMI

Automating Administration with Windows PowerShell

Oracle Enterprise Manager. Description. Versions Supported. Prerequisites

"Charting the Course... MOC C: Automating Administration with Windows PowerShell. Course Summary

Resolution: The DataChannel servlet no longer stops working, regardless of the state of the DataChannel extension.

This course incorporates materials from the Official Microsoft Learning Product M10961: Automating Administration with Windows PowerShell.

Your Mission: Connect to a remote Apple target(s) disk using F-Response Enterprise Edition.

Secret Server Demo Outline

Microsoft Active Directory Plug-in User s Guide Release

Microsoft.NET Framework Plug-in User s Guide Release

Joining a workstation to the agnet.tamu.edu Domain and Profile Migration

EMS for Outlook Installation Instructions

Corporate Training Centre (306)

Application Notes for 2 nd Nature by Unimax with Avaya Call Management System R18 Issue 1.0

ForeScout CounterACT. Configuration Guide. Version 10.8

Forescout. Configuration Guide. Version 11.0

ACS 5.x: LDAP Server Configuration Example

Tripwire App for QRadar Documentation

PAN 802.1x Connector Application Installation Guide

Dell Client System Update Version 1.0. User s Guide

Oracle Enterprise Manager

CounterACT VMware vsphere Plugin

SolarWinds. Patch Manager. Evaluation Guide. Version 2.1.2

Connection Broker Managing User Connections to Workstations and Blades, OpenStack Clouds, VDI, and More

EasyLobby SVM 10.0 / CardAccess 3000 Configuration Guide

ManageEngine EventLog Analyzer Quick Start Guide

RAP as a Service for Exchange Server: Prerequisites

10961C: Automating Administration with Windows PowerShell

ForeScout Extended Module for Splunk

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Sophos Transparent Authentication Suite Quick Start Guide. Product version: 2.0 Document date: Wednesday, July 05, 2017

Support Visit mysupport.mcafee.com to find product documentation, announcements, and support.

Microsoft Automating Administration with Windows PowerShell

Installation Guide For IM Sequencer 6.0

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

Pure Storage FlashArray Management Pack for VMware vrealize Operations Manager User Guide. (Version with Purity 4.9.

Vyapin Virtualization Management Suite

The following table lists minimum hardware requirements and recommendations for your SolarWinds Patch Manager system.

Configure Global Link Layer Discovery Protocol (LLDP) Settings on a Switch through the Command Line Interface (CLI)

Citrix XenDesktop & XenApp

CounterACT Aruba ClearPass Plugin

Privileged Remote Access SIEM Tool Plugin Installation and Administration

EMC SourceOne for Microsoft SharePoint Version 6.7

Managed Security Services. I.T. Security Specialists. Managed Security Services 1

Freshservice Discovery Probe User Guide

ControlCase TM Data Discovery

Smart Card Authentication Guide

Comodo One Software Version 3.26

ipad Guide This guide will take you through the steps required to connect and use the mobile printing system on your ipad.

Support Backups and Secure Transfer Server Changes - i-cam

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

Deltek winsight Dashboard 6.5. Installation Guide

OpenManage Management Pack for vrealize Operations Manager Version 1.1. Installation Guide

JetAdvice Manager Data Collector v Date:

Firewall Enterprise epolicy Orchestrator

RAP as a Service Active Directory Security: Prerequisites

CounterACT HPS Inspection Engine

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

P-792H v2. G.SHDSL.bis Broadband Gateway DEFAULT LOGIN DETAILS. Version 3.70 Edition 1, 04/2010

Windows Management Instrumentation Troubleshooting for Orion APM

RSA NetWitness Logs. VMware vcenter Server. Event Source Log Configuration Guide. Last Modified: Thursday, November 30, 2017

McAfee Firewall Enterprise epolicy Orchestrator Extension

EMC Ionix Network Configuration Manager Version 4.1.1

EMC SourceOne for Microsoft SharePoint Version 7.1

Perceptive Interact for EpicCare Link

Installation Guide. OMi Management Pack for Microsoft Skype for Business Server. Software Version: 1.00

Forescout. Configuration Guide. Version 2.4

2016 Infoblox Inc. All rights reserved. Implementing AWS Route 53 Synchronization Infoblox-DG January 2016 Page 1 of 8

ForeScout CounterACT. Configuration Guide. Version 4.3

Acronis Backup & Recovery 11 Beta Advanced Editions

Transcription:

McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Microsoft Windows Event Log - WMI January 14, 2016 Microsoft Windows Event Log - WMI Page 1 of 6

Important Note: The information contained in this document is confidential and proprietary. Please do not redistribute without permission. Microsoft Windows Event Log - WMI Page 2 of 6

Table of Contents 1. Introduction 4 2. Prerequisites 4 3. Specific Data Source Configuration Details 5 3.1. Windows Configuration - WMI 5 3.2. McAfee Receiver Configuration 5 4. Data Source Event to McAfee Field Mappings 6 4.1. Log Format 6 4.2. Log Sample 6 5. Appendix A - Troubleshooting 6 Microsoft Windows Event Log - WMI Page 3 of 6

1. Introduction This guide details how to configure the Receiver and SIEM Collector to collect event logs through Windows Management Instrumentation (WMI) from machines running Microsoft Windows operating system. 2. Prerequisites McAfee Enterprise Security Manager version 9.3.2 and above for Microsoft versions 8.1, Server 2012-R2 and above. McAfee Enterprise Security Manager version 9.2.1 and above for Microsoft versions XP, Server 2003 and above Administrative privileges on the Windows device. Microsoft Windows Event Log - WMI Page 4 of 6

3. Specific Data Source Configuration Details 3.1. Windows Configuration - WMI Used to pull events directly using the Receiver. 1. For Windows XP, Server 2003 and above create a user account added to the Administrators Group. 2. For Windows 8.1 and Server 2012 R2 use the Administrator user account or create a user account added to the Administrators, Distributed COM Users, and Event Log Readers groups. If using the latter option you must configure the data source to use RPC. 3.2. McAfee Receiver Configuration After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy. 1. Select the Receiver you are applying the data source setting to. 2. Select the Receiver properties. 3. From the Receiver Properties listing, select Data Sources. 4. Select Add Data Source. OR 1. Select the Receiver you are applying the data source setting to. 2. After selecting the Receiver, select the Add Data Source icon. Data Source Screen Settings WMI 1. Use System Profiles System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. 2. Data Source Vendor Microsoft (set by default if using profile) 3. Data Source Model Windows Event Log WMI (set by default if using profile) 4. Data Format Default 5. Data Retrieval Default 6. Name User defined name of data source 7. IP Address The IP address associated with the data source device 8. NetBIOS Name The NetBIOS name (hostname) associated with the data source device 9. Username The username of the account being connected to on the data source device 10. Password The password of the account being connected to on the data source device 11. Event Logs The names of the Windows event logs to be collected 12. Interval How long the Receiver will wait before checking for new data 13. Use RPC Whether or not to use Remote Procedure Calls (RPC) to connect to the data source device 14. Connect Tests the connection to the data source device Microsoft Windows Event Log - WMI Page 5 of 6

4. Data Source Event to McAfee Field Mappings 4.1. Log Format The expected format for this device is as follows: <dsip>(%s) <Log File>(%s) <Record Number>(%u) <Source Name>(%s) <Event ID>(%d) <Windows Version>(%d) <Time Generated>(%u) <Event Type>(%u) <Computer Name>(%s) <User>(%s) <Category>(%s) <Number of Insertion Strings>(%d) <Insertion Strings>(%s) <Message>(%s) 4.2. Log Sample This is a sample log from a WMI data source: 10.33.146.158 System 164812 NtServicePack 4377 52 1387354608 3 MYOFFICEPC MYD OMAIN\MyUserName 2 Windows Server 2003 KB2892076 Windows Server 2003 Hotfix KB2892076 was installed. 5. Appendix A - Troubleshooting If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled out to the Receiver. If a data source is not receiving events, verify credentials and test connection to data source. Microsoft Windows Event Log - WMI Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback