Forwarding windows log to SIEM tool

Hi Expert,

I’m needing  help with enabling and forwarding windows logs Inc particular RDP ACCESS logs to siem log collector.

Please advise how to set this up for windows server 2012 r1 (note it’s standalone server)

Regards

Mike
SYN ACKSnr Analyst Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Consider using event log forwarding which can be source initiated of the collector (SIEM) initiated. Most of the time an agent will be installed in server such as SNARE or SyslogNG that will then format the log into supported syslog format to the SIEM. The collection is stipulated by your SIEM collector or connector available. You should check out the SIEM support. Specific to RDP log you should be able to go based on event ID. E.g. RDP server related id below would be similar for 2012.

http://www.vkernel.ro/blog/how-to-configure-windows-event-log-forwarding

But I guess you are more interested with RDP connections and specifically logon event of LogType 10; RemoteInteractive; you can check out the forwarding rule in WEF or agent to do filtered forwards otherwise have your SIEM rule to filter out in correlation setup. Best is get specific log rather thw whole lot unless your SIEM is also a log archival system; but it should trivial to add another filter if required at the source based on event ID.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff404144(v=ws.10)
1
SYN ACKSnr Analyst Author Commented:
Many thanks, siem tool is netwitness from rsa. There is no agent on client but there is however winrm integration guide that's isn't easy to understand.
0
btanExec ConsultantCommented:
I recall that for Windows you will still better to have an agent, you can check with rsa support. Otherwise, There is discussion which eventually still opt for WibRM instead if WEF
I created small PS script (not official RSA script) which you can add at the end of the "winrmconfig.ps1" script and this will automatically add your hosts to RSA NetWitness via REST API interface on your Log Collector. Only manual step is to create Event Category in your Log Collector and then define parameters in REST API powershell script.

 

Event sources will be added to Log Collector with FQDN (test.domain.com). If you want to change this then you need to modify powershell script to grab IP of machine and pass it to REST API call.
https://community.rsa.com/thread/189797

There is a free elearning on WinRM which may help in understanding.
https://community.rsa.com/docs/DOC-54577
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SYN ACKSnr Analyst Author Commented:
many thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.