Start Free TrialLog in
Avatar of SYN ACK
SYN ACKFlag for United Kingdom of Great Britain and Northern Ireland

asked on 

Forwarding windows log to SIEM tool

Hi Expert,

I’m needing  help with enabling and forwarding windows logs Inc particular RDP ACCESS logs to siem log collector.

Please advise how to set this up for windows server 2012 r1 (note it’s standalone server)

Regards

Mike
Microsoft Server OSWindows Server 2012
Avatar of undefined
Last Comment
SYN ACK
Avatar of btan
btan
Consider using event log forwarding which can be source initiated of the collector (SIEM) initiated. Most of the time an agent will be installed in server such as SNARE or SyslogNG that will then format the log into supported syslog format to the SIEM. The collection is stipulated by your SIEM collector or connector available. You should check out the SIEM support. Specific to RDP log you should be able to go based on event ID. E.g. RDP server related id below would be similar for 2012.

http://www.vkernel.ro/blog/how-to-configure-windows-event-log-forwarding

But I guess you are more interested with RDP connections and specifically logon event of LogType 10; RemoteInteractive; you can check out the forwarding rule in WEF or agent to do filtered forwards otherwise have your SIEM rule to filter out in correlation setup. Best is get specific log rather thw whole lot unless your SIEM is also a log archival system; but it should trivial to add another filter if required at the source based on event ID.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff404144(v=ws.10)
Avatar of SYN ACK
SYN ACK
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Many thanks, siem tool is netwitness from rsa. There is no agent on client but there is however winrm integration guide that's isn't easy to understand.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of SYN ACK
SYN ACK
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

many thanks
Microsoft Server OS
Microsoft Server OS

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.

59K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent