RSA NetWitness Logs Event Source Log Configuration Guide Microsoft Network Policy Server Last Modified: Thursday, June 08, 2017 Event Source Product Information: Vendor: Microsoft Event Source: Network Policy Server Versions: 3.2, 4.0 Additional Downloads: For File Collection: sftpagent.conf.msias For Windows Collection: useradd.vbs, rsa_sa_winevent_config.vbs RSA Product Information: Supported On: NetWitness Suite 10.0 and later Event Source Log Parser: msias Collection Method: File and Windows Event Logs Event Source Class.Subclass: Security.Access Control
You can configure RSA NetWitness Suite to collect logs from Microsoft Network Policy Server, using either File collection, Windows Eventing collection, or both. I. Configure Microsoft NPS II. Configure RSA NetWitness Suite for Windows and/or File Collection: Configure File Collection Configure Windows Collection 2
Configure Microsoft NPS This section describes how to set up the Microsoft Network Policy Server event source for Windows collection. To configure Microsoft NPS for Windows collection: 1. Start the Network Policy Server management utility. 2. Select the Remote Access Logging folder. 3. Double click on the Local File logging method. 4. On the Settings tab, ensure that the following boxes are selected: Accounting Requests Authentication Requests Periodic Status 5. On the Log File tab, confirm the following settings: In the Directory field, select C:\WINDOWS\system32\LogFile. In the Format field, select IAS (Legacy). In the Create a new log file field, select Daily. In the When disk is full delete older log files field, ensure the check box is selected. 3 Configure Microsoft NPS
Configure File Collection To configure Microsoft Network Policy Server for File collection, you must complete these tasks: I. Set Up the SFTP Agent II. Set up the File Service Note: To configure File Collection, you need a Log Collector that is at version 10.5.2 or later. Set Up the SFTP Agent To set up the SFTP Agent Collector, download the appropriate PDF from RSA Link: To set up the SFTP agent on Windows, see Install and Update SFTP Agent To set up the SFTP agent on Linux, see Configure SA SFTP Agent shell script Configure the Log Collector for File Collection Perform the following steps to configure the Log Collector for File collection. To configure the Log Collector for file collection: 1. In the NetWitness menu, select Administration > Services. 2. In the Services grid, select a Log Collector, and from the Actions menu, choose View > Config > Event Sources. 3. Select File/Config from the drop-down menu. The Event Categories panel displays the File event sources that are configured, if any. 4. In the Event Categories panel toolbar, click +. The Available Event Source Types dialog is displayed. Configure File Collection 4
5. Select the correct type from the list, and click OK. Select msias_tvm from the Available Event Source Types dialog. The newly added event source type is displayed in the Event Categories panel. 6. Select the new type in the Event Categories panel and click + in the Sources panel toolbar. 5 Configure the Log Collector for File Collection
The Add Source dialog is displayed. 7. Add a File Directory name, modify any other parameters that require changes, and click OK. 8. Stop and Restart File Collection. After you add a new event source that uses file collection, you must stop and restart the NetWitness File Collection service. This is necessary to add the key to the new event source. Configure the Log Collector for File Collection 6
Configure Windows Collection There are two parts to configuring Windows collection: I. Configure WinRM on the Windows Host II. Configure RSA NetWitness Suite for Windows Collection. Configure WinRM on a Windows Host This section describes a shortcut method to configure the Windows host. It assumes that you have the following two RSA scripts available: useradd: sets up a user account with the necessary permissions. RSA_SA_winevent_config.vbs: sets up the WinRM listener To set up and run the useradd script: 1. Open useradd.vbs for editing. 2. You need to enter your values for the following two parameters: User account: in the Name field, enter the name for the RSA user account. Domain: in the compname parameter, enter your domain name. Note: For the remainder of this document, we are using example values: rsalog for the user account, and dsnetworking.com for the domain name. 3. On the Windows host, open a Command Prompt, and run useradd: c:\program Files\scripts>useradd.vbs Note: You need to run the script as an administrator. The script prompts you to open the file. Click Yes to run the script and set up your user. To run the script to set up the WinRM listener: 1. On the Windows host, open a Command Prompt. 2. Navigate to the folder where the script is stored, and run it as follows: rsa_sa_winevent_config.vbs http The script prompts you with a series of information and verification screens: accept them as they appear, in order to have the script succeed. 7 Configure Windows Collection
This completes your set up on the Windows host. Next, you configure RSA NetWitness Suite. Configure RSA NetWitness Suite for Windows Collection In RSA NetWitness Suite, you need to configure the Kerberos Realm, and then add the Windows Event Source type. To configure the Kerberos Realm for Windows collection: 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Log Collector, and from the Actions menu, choose View > Config > Event Sources. 3. Select Windows/Kerberos Realm from the drop-down menu. 4. In the Kerberos Realm Configuration panel toolbar, click + to add a new realm. The Add Kerberos Domain dialog is displayed. 5. Fill in the parameters, using the guidelines below. Parameter Kerberos Realm Name KDC Host Name Details Enter the realm name, in all caps. For example, DSNETWORKING.COM. Note that the Mappings parameter is automatically filled with variations on the realm name. Enter the name of the Domain Controller. Do not use a fully qualified name here: just the host name for the DC. Note: Make sure that the log collector is configured as a DNS client for the corporate DNS server. Otherwise, the LC will not know how to find the Kerberos Realm. Admin Server (Optional) The name of the Kerberos Administration Server in FQDN format. 6. Click Save to add the Kerberos domain. Next, continue from the current screen to add a Windows Event Category and type. Configure RSA NetWitness Suite for Windows Collection 8
To configure the Windows Event Type: 1. Select Windows/Config from the drop-down menu. 2. In the Event Categories panel toolbar, click + to add a source. The Add Source dialog is displayed. 3. Fill in the parameters, using the guidelines below. Parameter Alias Authorization Method Channel User Name Password Max Events Per Cycle Polling Interval Details Enter a descriptive name. Choose Negotiate. For most event sources that use Windows collection, you want to collect from the Security, System, and Application channels. Enter the account name for the Windows user account that you set up earlier for communicating with Security Analytics. Note that you need to enter the full account name, which includes the domain. For example, rsalog@dsnetworking.com. Enter the correct password for the user account. (Optional). RSA recommends that you set this value to 0, which collects everything. (Optional). For most users, a value of 60 should work well. 4. Click OK to add the source. The newly added Windows event source is displayed in the Event Categories panel. 5. Select the new event source in the Event Categories panel. The Hosts panel is activated. 6. Click + in the Hosts panel toolbar. 9 Configure RSA NetWitness Suite for Windows Collection
7. Fill in the parameters, using the guidelines below. Parameter Event Source Address Details Enter the IP address for the Windows host. Port Accept the default value, 5985. Transport Mode Enabled Enter http. Ensure the box is checked. 8. Click Test Connection. Note: In Security Analytics versions prior to 10.4 patch 2, the Windows service had to be running in order for the test connection to work. In later versions, you should be able to successfully test the connection, even if the Windows service is not running. For more information on any of the previous steps, see the following Help topics in the Security Analytics User Guide: Configure Windows Collection: https://community.rsa.com/docs/doc-43410 Microsoft WinRM Configuration Guide: https://community.rsa.com/docs/doc-58163 Test and Troubleshoot Microsoft WinRM Guide: https://community.rsa.com/docs/doc-58164 Copyright 2017 EMC Corporation. All Rights Reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. Configure RSA NetWitness Suite for Windows Collection 10