McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Microsoft Windows Event Log - WMI January 14, 2016 Microsoft Windows Event Log - WMI Page 1 of 6
Important Note: The information contained in this document is confidential and proprietary. Please do not redistribute without permission. Microsoft Windows Event Log - WMI Page 2 of 6
Table of Contents 1. Introduction 4 2. Prerequisites 4 3. Specific Data Source Configuration Details 5 3.1. Windows Configuration - WMI 5 3.2. McAfee Receiver Configuration 5 4. Data Source Event to McAfee Field Mappings 6 4.1. Log Format 6 4.2. Log Sample 6 5. Appendix A - Troubleshooting 6 Microsoft Windows Event Log - WMI Page 3 of 6
1. Introduction This guide details how to configure the Receiver and SIEM Collector to collect event logs through Windows Management Instrumentation (WMI) from machines running Microsoft Windows operating system. 2. Prerequisites McAfee Enterprise Security Manager version 9.3.2 and above for Microsoft versions 8.1, Server 2012-R2 and above. McAfee Enterprise Security Manager version 9.2.1 and above for Microsoft versions XP, Server 2003 and above Administrative privileges on the Windows device. Microsoft Windows Event Log - WMI Page 4 of 6
3. Specific Data Source Configuration Details 3.1. Windows Configuration - WMI Used to pull events directly using the Receiver. 1. For Windows XP, Server 2003 and above create a user account added to the Administrators Group. 2. For Windows 8.1 and Server 2012 R2 use the Administrator user account or create a user account added to the Administrators, Distributed COM Users, and Event Log Readers groups. If using the latter option you must configure the data source to use RPC. 3.2. McAfee Receiver Configuration After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy. 1. Select the Receiver you are applying the data source setting to. 2. Select the Receiver properties. 3. From the Receiver Properties listing, select Data Sources. 4. Select Add Data Source. OR 1. Select the Receiver you are applying the data source setting to. 2. After selecting the Receiver, select the Add Data Source icon. Data Source Screen Settings WMI 1. Use System Profiles System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. 2. Data Source Vendor Microsoft (set by default if using profile) 3. Data Source Model Windows Event Log WMI (set by default if using profile) 4. Data Format Default 5. Data Retrieval Default 6. Name User defined name of data source 7. IP Address The IP address associated with the data source device 8. NetBIOS Name The NetBIOS name (hostname) associated with the data source device 9. Username The username of the account being connected to on the data source device 10. Password The password of the account being connected to on the data source device 11. Event Logs The names of the Windows event logs to be collected 12. Interval How long the Receiver will wait before checking for new data 13. Use RPC Whether or not to use Remote Procedure Calls (RPC) to connect to the data source device 14. Connect Tests the connection to the data source device Microsoft Windows Event Log - WMI Page 5 of 6
4. Data Source Event to McAfee Field Mappings 4.1. Log Format The expected format for this device is as follows: <dsip>(%s) <Log File>(%s) <Record Number>(%u) <Source Name>(%s) <Event ID>(%d) <Windows Version>(%d) <Time Generated>(%u) <Event Type>(%u) <Computer Name>(%s) <User>(%s) <Category>(%s) <Number of Insertion Strings>(%d) <Insertion Strings>(%s) <Message>(%s) 4.2. Log Sample This is a sample log from a WMI data source: 10.33.146.158 System 164812 NtServicePack 4377 52 1387354608 3 MYOFFICEPC MYD OMAIN\MyUserName 2 Windows Server 2003 KB2892076 Windows Server 2003 Hotfix KB2892076 was installed. 5. Appendix A - Troubleshooting If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled out to the Receiver. If a data source is not receiving events, verify credentials and test connection to data source. Microsoft Windows Event Log - WMI Page 6 of 6