SYN ACK
asked on
Forwarding windows log to SIEM tool
Hi Expert,
I’m needing help with enabling and forwarding windows logs Inc particular RDP ACCESS logs to siem log collector.
Please advise how to set this up for windows server 2012 r1 (note it’s standalone server)
Regards
Mike
I’m needing help with enabling and forwarding windows logs Inc particular RDP ACCESS logs to siem log collector.
Please advise how to set this up for windows server 2012 r1 (note it’s standalone server)
Regards
Mike
ASKER
Many thanks, siem tool is netwitness from rsa. There is no agent on client but there is however winrm integration guide that's isn't easy to understand.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
many thanks
http://www.vkernel.ro/blog/how-to-configure-windows-event-log-forwarding
But I guess you are more interested with RDP connections and specifically logon event of LogType 10; RemoteInteractive; you can check out the forwarding rule in WEF or agent to do filtered forwards otherwise have your SIEM rule to filter out in correlation setup. Best is get specific log rather thw whole lot unless your SIEM is also a log archival system; but it should trivial to add another filter if required at the source based on event ID.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff404144(v=ws.10)