RSA NetWitness Logs Event Source Log Configuration Guide Microsoft Forefront Endpoint Protection Last Modified: Monday, November 13, 2017 Event Source Product Information: Vendor: Microsoft Event Source: Forefront Endpoint Protection Forefront Client Security System Center Configuration Manager Endpoint Protection Versions: Forefront Endpoint Protection 2010 Forefront Client Security 1.x System Center 2012 Endpoint Protection Platforms: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows 7, Windows 8 RSA Product Information: Supported On: NetWitness Suite 10.0 and later Event Source Log Parser: msforefrontcs Collection Method: For Forefront Client Security: ODBC and Windows Event Logs For Forefront Endpoint Protection and System Center Endpoint Protection: Windows Event Logs Event Source Class.Subclass: Security.Antivirus
Choose the appropriate procedure, based on which event source you are using: Forefront Endpoint Protection: Configure NetWitness Suite for Windows Collection System Center Endpoint Protection: Configure NetWitness Suite for Windows Collection Forefront Client Security, perform either, or both, of the following procedures: Configure NetWitness Suite for ODBC Collection Configure NetWitness Suite for Windows Collection 2
Configure NetWitness Suite for ODBC Collection To configure ODBC collection in NetWitness, perform the following procedures: I. Ensure the required parser is enabled II. Configure a DSN III. Add the Event Source Type Ensure the Required Parser is Enabled If you do not see your parser in the list while performing this procedure, you need to download it in RSA NetWitness Suite Live. Ensure that the parser for your event source is enabled: 1. In the NetWitness menu, select Administration > Services. 2. In the Services grid, select a Log Decoder, and from the Actions menu, choose View > Config. 3. In the Service Parsers Configuration panel, search for your event source, and ensure that the Config Value field for your event source is selected. Note: The required parser is msforefrontcs. Configure a DSN Configure a DSN (Data Source Name): 1. In the NetWitness menu, select Administration > Services. 2. In the Services grid, select a Log Collector service. 3. Click under Actions and select View > Config. 4. In the Log Collector Event Sources tab, select ODBC/DSNs from the drop-down menu. 5. The DSNs panel is displayed with the existing DSNs, if any. 3 Configure NetWitness Suite for ODBC Collection
6. Click + to open the Add DSN dialog. Note: If you need to add a DSN template, see the "Configure DSNs" topic in the Log Collection Configuration Guide, available in RSA Link. 7. Choose a DSN Template from the drop down menu and enter a name for the DSN. (You use the name when you set up the ODBC event source type.) 8. Fill in the parameters and click Save. Field DSN Template DSN Name Description Choose the correct template from the available choices. Enter a descriptive name for the DSN Parameters section Database Specify the database used by Forefront Client Security PortNumber Specify the Port Number. The default port number is 1433 HostName Driver Specify the hostname or IP Address of Forefront Client Security Depending on your NetWitness Log Collector version: For 10.6.2 and newer, use /opt/netwitness/odbc/lib/r3sqls27.so For 10.6.1 and older, use /opt/netwitness/odbc/lib/r3sqls26.so Add the Event Source Type Add the ODBC Event Source Type: 1. In the NetWitness menu, select Administration > Services. 2. In the Services grid, select a Log Collector service. 3. Click under Actions and select View > Config. 4. In the Log Collector Event Sources tab, select ODBC/Config from the drop-down menu. The Event Categories panel is displayed with the existing sources, if any. Add the Event Source Type 4
5. Click + to open the Available Event Source Types dialog. 6. Choose the log collector configuration type for your event source type and click OK. Select ms_forefront_client_security from the Available Event Source Types dialog. 7. In the Event Categories panel, select the event source type that you just added. 8. In the Sources panel, click + to open the Add Source dialog. 9. Enter the DSN you configured during the Configure a DSN procedure. 5 Add the Event Source Type
10. For the other parameters, see the "ODBC Event Source Configuration Parameters" topic in the RSA NetWitness Suite Log Collection Guide. Add the Event Source Type 6
Configure NetWitness Suite for Windows Collection For all supported version of this event source, you can configure Windows collection. Note: For Forefront Client Security, you should collect from the Forefront Endpoint Protection channel. For System Center 2012 Endpoint Protection, use System. Choose the appropriate channel when you configure the Windows Event Type in the procedure below. There are two parts to configuring Windows collection: I. Configure WinRM on the Windows Host II. Configure RSA NetWitness Suite for Windows Collection. Configure WinRM on a Windows Host This section describes a shortcut method to configure the Windows host. It assumes that you have the following two RSA scripts available: useradd: sets up a user account with the necessary permissions. RSA_SA_winevent_config.vbs: sets up the WinRM listener To set up and run the useradd script: 1. Open useradd.vbs for editing. 2. You need to enter your values for the following two parameters: User account: in the Name field, enter the name for the RSA user account. Domain: in the compname parameter, enter your domain name. Note: For the remainder of this document, we are using example values: rsalog for the user account, and dsnetworking.com for the domain name. 3. On the Windows host, open a Command Prompt, and run useradd: c:\program Files\scripts>useradd.vbs Note: You need to run the script as an administrator. The script prompts you to open the file. Click Yes to run the script and set up your user. 7 Configure NetWitness Suite for Windows Collection
To run the script to set up the WinRM listener: 1. On the Windows host, open a Command Prompt. 2. Navigate to the folder where the script is stored, and run it as follows: rsa_sa_winevent_config.vbs http The script prompts you with a series of information and verification screens: accept them as they appear, in order to have the script succeed. This completes your set up on the Windows host. Next, you configure RSA NetWitness Suite. Configure RSA NetWitness Suite for Windows Collection In RSA NetWitness Suite, you need to configure the Kerberos Realm, and then add the Windows Event Source type. To configure the Kerberos Realm for Windows collection: 1. In the NetWitness menu, select Administration > Services. 2. In the Services grid, select a Log Collector, and from the Actions menu, choose View > Config > Event Sources. 3. Select Windows/Kerberos Realm from the drop-down menu. 4. In the Kerberos Realm Configuration panel toolbar, click + to add a new realm. The Add Kerberos Domain dialog is displayed. Configure RSA NetWitness Suite for Windows Collection 8
5. Fill in the parameters, using the guidelines below. Parameter Kerberos Realm Name KDC Host Name Details Enter the realm name, in all caps. For example, DSNETWORKING.COM. Note that the Mappings parameter is automatically filled with variations on the realm name. Enter the name of the Domain Controller. Do not use a fully qualified name here: just the host name for the DC. Note: Make sure that the log collector is configured as a DNS client for the corporate DNS server. Otherwise, the LC will not know how to find the Kerberos Realm. Admin Server (Optional) The name of the Kerberos Administration Server in FQDN format. 6. Click Save to add the Kerberos domain. Next, continue from the current screen to add a Windows Event Category and type. To configure the Windows Event Type: 1. Select Windows/Config from the drop-down menu. 2. In the Event Categories panel toolbar, click + to add a source. The Add Source dialog is displayed. 9 Configure RSA NetWitness Suite for Windows Collection
3. Fill in the parameters, using the guidelines below. Parameter Alias Authorization Method Channel User Name Password Max Events Per Cycle Polling Interval Details Enter a descriptive name. Choose Negotiate. For most event sources that use Windows collection, you want to collect from the Security, System, and Application channels. Enter the account name for the Windows user account that you set up earlier for communicating with RSA NetWitness Suite. Note that you need to enter the full account name, which includes the domain. For example, rsalog@dsnetworking.com. Enter the correct password for the user account. (Optional). RSA recommends that you set this value to 0, which collects everything. (Optional). For most users, a value of 60 should work well. 4. Click OK to add the source. The newly added Windows event source is displayed in the Event Categories panel. 5. Select the new event source in the Event Categories panel. The Hosts panel is activated. 6. Click + in the Hosts panel toolbar. 7. Fill in the parameters, using the guidelines below. Parameter Event Source Address Details Enter the IP address for the Windows host. Port Accept the default value, 5985. Transport Mode Enabled Enter http. Ensure the box is checked. 8. Click Test Connection. Configure RSA NetWitness Suite for Windows Collection 10
Note: In RSA NetWitness Suite versions prior to 10.4 patch 2, the Windows service had to be running in order for the test connection to work. In later versions, you should be able to successfully test the connection, even if the Windows service is not running. For more information on any of the previous steps, see the following Help topics in the RSA NetWitness Suite User Guide: Configure Windows Collection: https://community.rsa.com/docs/doc-43410 Microsoft WinRM Configuration Guide: https://community.rsa.com/docs/doc-58163 Test and Troubleshoot Microsoft WinRM Guide: https://community.rsa.com/docs/doc- 58164 Copyright 2017 EMC Corporation. All Rights Reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. 11 Configure RSA NetWitness Suite for Windows Collection