Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

HTTPS Event Subscription Question

To configure HTTPS Event subscriptions with a Normal delivery

Forwarding
Configure Winrm on the forwarding PC
Add the collecting PC to the event log reader group
Configure exempt on 443
Configure computer cert

Collecting
Run Wecutil
Create subscription specifying HTTPS

My question is for Minimize Latency/Bandwith do I configure cert and port exemption for collecting computer as well?

I get this so twisted it isn't true.  I have been thinking that the forwarding/collecting PCs can change positions depending on the type of subscription selected...push/pull and all of that.  Is that right?

Is what I wrote above correct...does anyone have an easier way to remember this?  As usual thank you in advance for any help you can provide.  

0
AJJ36
Asked:
AJJ36
  • 2
1 Solution
 
Jackie ManCommented:
It is easy to remember HTTPS event subscription if you draw an analogy below.

Imagine that you are the big boss of a business intelligence agency firm and your business is about collecting the trade secrets / information of corporations under investigations.

Normally, you will just ask your agent to put the collected information in a designated area inside the  corporation (source computer) under investigation and you will collect (pull) the information in a reugular basis. As there is no restriction about the pipe line for information transfer (bandwidth) or requirement on allowable delay (latency) for the transfer of information, it is a "normal" mode (HTTP protocol and no special port) and your agent needs not to think (config) about how to send the information to you.

On the other hand, if there is a restriction about the pipe line for information transfer (bandwidth) for the transfer of information, both you and your agent will need to work together for sending (pushing) the information from your agent to you. Besides, you need to use a hidden route (HTTPS protocol / port 443) to send the information from your agent to you, it is a "push" mode with "minimum bandwidth" and both you and your agent need to think (config) on how to send the information.

Conversely, if there is requirement on allowable delay (latency) for the transfer of information, both you and your agent will need to work together for sending (pushing) the information from your agent to you.  But, in this time, as the informtaion must be delivered in a timely manner according to allowable delay (latency). So, you also need to use a hidden route (HTTPS protocol / port 443) to send the information from your agent to you, it is a "push" mode with "minimum latency" and both you and your agent need to think (config) on how to send the information.

Hope you can understand the concept behind HTTP and HTTPS Event Subscription. Besies, please take note of the information from a good paper on Event Subscription.

"The following list describes the three subscription speed settings which can be configured via the wizard (Shields, 2007).

• "Normal mode" configures the target computer to pull event information from the
source computer five items at a time, with a batch timeout of 15 minutes.
• "Minimize bandwidth" reverses the direction of the delivery, pushing the data from
source to destination. This is helpful if bandwidth is an issue. The influx of log data at
the destination is slowed with the batch timeout and the heartbeat interval increases to
six hours.
• "Minimize latency" mode works well for gathering real-time or near real-time data. This
also uses push mode, but significantly dials up the timeout to every 30 seconds"

Source: http://www.sans.org/reading_room/whitepapers/logging/evtx-windows-event-logging_32949
0
 
Jackie ManCommented:
Besides, I notice that you have mistakenly requested the attention of the moderator for this question instead of the one below?

http://www.experts-exchange.com/Software/Internet_Email/File_Sharing/Q_26844042.html

It takes much longer to answer this question as the concept is a bit complicated to understand.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now