Solved

HTTPS Event Subscription Question

Posted on 2011-03-01
2
324 Views
Last Modified: 2012-05-11
To configure HTTPS Event subscriptions with a Normal delivery

Forwarding
Configure Winrm on the forwarding PC
Add the collecting PC to the event log reader group
Configure exempt on 443
Configure computer cert

Collecting
Run Wecutil
Create subscription specifying HTTPS

My question is for Minimize Latency/Bandwith do I configure cert and port exemption for collecting computer as well?

I get this so twisted it isn't true.  I have been thinking that the forwarding/collecting PCs can change positions depending on the type of subscription selected...push/pull and all of that.  Is that right?

Is what I wrote above correct...does anyone have an easier way to remember this?  As usual thank you in advance for any help you can provide.  

0
Comment
Question by:AJJ36
  • 2
2 Comments
 
LVL 42

Accepted Solution

by:
Jackie Man earned 500 total points
ID: 35019911
It is easy to remember HTTPS event subscription if you draw an analogy below.

Imagine that you are the big boss of a business intelligence agency firm and your business is about collecting the trade secrets / information of corporations under investigations.

Normally, you will just ask your agent to put the collected information in a designated area inside the  corporation (source computer) under investigation and you will collect (pull) the information in a reugular basis. As there is no restriction about the pipe line for information transfer (bandwidth) or requirement on allowable delay (latency) for the transfer of information, it is a "normal" mode (HTTP protocol and no special port) and your agent needs not to think (config) about how to send the information to you.

On the other hand, if there is a restriction about the pipe line for information transfer (bandwidth) for the transfer of information, both you and your agent will need to work together for sending (pushing) the information from your agent to you. Besides, you need to use a hidden route (HTTPS protocol / port 443) to send the information from your agent to you, it is a "push" mode with "minimum bandwidth" and both you and your agent need to think (config) on how to send the information.

Conversely, if there is requirement on allowable delay (latency) for the transfer of information, both you and your agent will need to work together for sending (pushing) the information from your agent to you.  But, in this time, as the informtaion must be delivered in a timely manner according to allowable delay (latency). So, you also need to use a hidden route (HTTPS protocol / port 443) to send the information from your agent to you, it is a "push" mode with "minimum latency" and both you and your agent need to think (config) on how to send the information.

Hope you can understand the concept behind HTTP and HTTPS Event Subscription. Besies, please take note of the information from a good paper on Event Subscription.

"The following list describes the three subscription speed settings which can be configured via the wizard (Shields, 2007).

• "Normal mode" configures the target computer to pull event information from the
source computer five items at a time, with a batch timeout of 15 minutes.
• "Minimize bandwidth" reverses the direction of the delivery, pushing the data from
source to destination. This is helpful if bandwidth is an issue. The influx of log data at
the destination is slowed with the batch timeout and the heartbeat interval increases to
six hours.
• "Minimize latency" mode works well for gathering real-time or near real-time data. This
also uses push mode, but significantly dials up the timeout to every 30 seconds"

Source: http://www.sans.org/reading_room/whitepapers/logging/evtx-windows-event-logging_32949
0
 
LVL 42

Expert Comment

by:Jackie Man
ID: 35019947
Besides, I notice that you have mistakenly requested the attention of the moderator for this question instead of the one below?

http://www.experts-exchange.com/Software/Internet_Email/File_Sharing/Q_26844042.html

It takes much longer to answer this question as the concept is a bit complicated to understand.

0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main issue when installing Vista and XP in dual boot is when you have to reinstall any of the two when something fails, let's say a hard disk failure, a lost partition, virus, etc. What commonly happens is that you lose all your hard work config…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now