Topic
  • 9 replies
  • Latest Post - ‏2014-05-29T01:09:51Z by RoseD
GaryBranstein
GaryBranstein
1 Post

Pinned topic Collecting Security Logs and Printing logs for Laptops

‏2014-04-08T19:44:33Z |

Does anybody have any thoughts or suggestions on what I could use to capture Windows 8.1 event logs on select laptops.  The problem is that when the laptop is not on the corporate network it would still monitor but hold the logs until the laptop connects to the Coporate Network and then forward over to  QRadar.

  • Jonathan.Pechta (IBM)
    179 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-13T18:21:19Z  

    Gary,

     

    The best method to collect these events would be to use WinCollect and install an agent locally on the Windows system. When you install the WinCollect agent, you want to create a Local System log source to collect Security and System logs.

     

    The way local WinCollect agents work is that each time the agent polls the local event log for events, the agent attempts to open a socket to the destination (either the Console or Event Collector). If the laptop is not connected to a VPN, the agent will not be able to successfully connect to the destination and will cache the events until it is connected. If a connection is successfully established, the system will attempt to forward events as fast as possible off of the agent (until it hits the default EPS throttle limit of 500 EPS) to clear the backlog of events.

     

    Note: If this is someone who travels extensively or rarely calls in through the VPN, then you might want to adjust default agent storage. It is unlikely that as single system would fill 6 GB, which is the default storage. However, if you are heavily auditing these systems, then you might want to increase the default storage value. The default storage is configured on a per agent basis through the Console. When the laptop is connected to the network, any configuration changes are sent down to the remote Windows host.

     

    Why wouldn't I remote polling for these events?

    I would not recommend that you attempt to remote poll from systems that are not continually on the corporate network. As each time the WinCollect agent tries to poll a remote agent that does not reachable or is powered off, a Syslog message is generated for RPC Server Unavailable. This can get noisy when you have a lot of log sources that go offline after business hours. This is why I suggested that you look at installing agents locally on the laptops and configure a local log source.

     

    Hope this helps..

     

  • Natalia_Razinkov
    Natalia_Razinkov
    2 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-15T12:10:07Z  

    Gary,

     

    The best method to collect these events would be to use WinCollect and install an agent locally on the Windows system. When you install the WinCollect agent, you want to create a Local System log source to collect Security and System logs.

     

    The way local WinCollect agents work is that each time the agent polls the local event log for events, the agent attempts to open a socket to the destination (either the Console or Event Collector). If the laptop is not connected to a VPN, the agent will not be able to successfully connect to the destination and will cache the events until it is connected. If a connection is successfully established, the system will attempt to forward events as fast as possible off of the agent (until it hits the default EPS throttle limit of 500 EPS) to clear the backlog of events.

     

    Note: If this is someone who travels extensively or rarely calls in through the VPN, then you might want to adjust default agent storage. It is unlikely that as single system would fill 6 GB, which is the default storage. However, if you are heavily auditing these systems, then you might want to increase the default storage value. The default storage is configured on a per agent basis through the Console. When the laptop is connected to the network, any configuration changes are sent down to the remote Windows host.

     

    Why wouldn't I remote polling for these events?

    I would not recommend that you attempt to remote poll from systems that are not continually on the corporate network. As each time the WinCollect agent tries to poll a remote agent that does not reachable or is powered off, a Syslog message is generated for RPC Server Unavailable. This can get noisy when you have a lot of log sources that go offline after business hours. This is why I suggested that you look at installing agents locally on the laptops and configure a local log source.

     

    Hope this helps..

     

    Jonathan, hope I understand you correctly,  this is a reason not to use WMI for our laptops (say Windows 7) and use WinCollect?

  • Jonathan.Pechta (IBM)
    179 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-15T14:02:09Z  

    Jonathan, hope I understand you correctly,  this is a reason not to use WMI for our laptops (say Windows 7) and use WinCollect?

    Both a WinCollect local installation and WMI are valid collection options for laptops. What option you chose depends on what you need to accomplish.

     

    • Ease of configuration - WinCollect. WMI configurations are more complicated and polling across domains typically requires domain admin access or adding your log source user to a domain admin group. Some administrators do not allow this in their networks, so a WinCollect agent installed locally on the laptop might be the best choice. The local agent only requires admin access on the local system to forward syslog events.
    • Encyrption - WMI. If you need to encrypt the events, WMI is the only option at this time.
    • Event types - WinCollect. If you need to possibly collect other event types than just Windows events, you can use different protocol options to collect SQL error events, IIS, ISA, or other event log types with the File Forwarder plug-in.
    • Event Collection Rate - WinCollect. This is not typically an issue for individual laptops, unless the administrator has advanced security auditing features enabled. WMI cannot exceed 50 EPS. WinCollect local installations can support 250 EPS out of the box.
    • Event filtering/XPath - WinCollect. WinCollect allows you to access features such as Exclusion Filters for specific services or event ID codes.

     

    As always, the option selected depends on your network policies and user requirements.

  • Natalia_Razinkov
    Natalia_Razinkov
    2 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-15T14:13:36Z  

    Both a WinCollect local installation and WMI are valid collection options for laptops. What option you chose depends on what you need to accomplish.

     

    • Ease of configuration - WinCollect. WMI configurations are more complicated and polling across domains typically requires domain admin access or adding your log source user to a domain admin group. Some administrators do not allow this in their networks, so a WinCollect agent installed locally on the laptop might be the best choice. The local agent only requires admin access on the local system to forward syslog events.
    • Encyrption - WMI. If you need to encrypt the events, WMI is the only option at this time.
    • Event types - WinCollect. If you need to possibly collect other event types than just Windows events, you can use different protocol options to collect SQL error events, IIS, ISA, or other event log types with the File Forwarder plug-in.
    • Event Collection Rate - WinCollect. This is not typically an issue for individual laptops, unless the administrator has advanced security auditing features enabled. WMI cannot exceed 50 EPS. WinCollect local installations can support 250 EPS out of the box.
    • Event filtering/XPath - WinCollect. WinCollect allows you to access features such as Exclusion Filters for specific services or event ID codes.

     

    As always, the option selected depends on your network policies and user requirements.

    Very helpful!  I would suggest those criteria for decision making  will be somehow  clarified in the knowledge base/documentation for other very new (-:  QRadar users

  • RoseD
    RoseD
    17 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-23T23:41:41Z  

    Both a WinCollect local installation and WMI are valid collection options for laptops. What option you chose depends on what you need to accomplish.

     

    • Ease of configuration - WinCollect. WMI configurations are more complicated and polling across domains typically requires domain admin access or adding your log source user to a domain admin group. Some administrators do not allow this in their networks, so a WinCollect agent installed locally on the laptop might be the best choice. The local agent only requires admin access on the local system to forward syslog events.
    • Encyrption - WMI. If you need to encrypt the events, WMI is the only option at this time.
    • Event types - WinCollect. If you need to possibly collect other event types than just Windows events, you can use different protocol options to collect SQL error events, IIS, ISA, or other event log types with the File Forwarder plug-in.
    • Event Collection Rate - WinCollect. This is not typically an issue for individual laptops, unless the administrator has advanced security auditing features enabled. WMI cannot exceed 50 EPS. WinCollect local installations can support 250 EPS out of the box.
    • Event filtering/XPath - WinCollect. WinCollect allows you to access features such as Exclusion Filters for specific services or event ID codes.

     

    As always, the option selected depends on your network policies and user requirements.

    With WMI configuration only supporting 50 EPS, what happens when it's exceeded?  Are events missed from being collected?

  • Jonathan.Pechta (IBM)
    179 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-26T13:24:05Z  
    • RoseD
    • ‏2014-05-23T23:41:41Z

    With WMI configuration only supporting 50 EPS, what happens when it's exceeded?  Are events missed from being collected?

    RoseD,

     

    What we have experienced is that when you collect more than 50 EPS on a remote system using WMI, you start to see system resource utilization issue. WMI tries, but cannot keep up with the high event rate and the operating system starts to use more and more resources until it becomes unresponsive and crashes.

     

    Operating system stability is why we tell customers to consider local agents on systems that generate more than 50 EPS.

     

    Hope this helps...

     

     

    -----

    Our support webinars are coming soon. Vote on topics you are interested in. For more information, see our Webinar topic survey:  https://www.surveymonkey.com/s/QRadarOpenmic

    Updated on 2014-05-26T14:19:32Z at 2014-05-26T14:19:32Z by Jonathan.Pechta (IBM)
  • RoseD
    RoseD
    17 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-27T18:34:13Z  

    Thank you for the reply, Jonathan.  This is helpful information but still puts us between 2 options that are not good.  One being good for our security concerns (WMI) but not good since it could cause failures in the system.  The other (WinCollect) does not provide secure communications and not completely reliable as it ultimately sends syslog over UDP.  Is there an enhancemen in the works for a reliable and secure method of collecting windows events?

    I noted the support webinars in your posting and glad to see some ability to provide feedback.  Would still like to see a method of voting for potential enhancements.

  • Jonathan.Pechta (IBM)
    179 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-28T14:42:23Z  
    • RoseD
    • ‏2014-05-27T18:34:13Z

    Thank you for the reply, Jonathan.  This is helpful information but still puts us between 2 options that are not good.  One being good for our security concerns (WMI) but not good since it could cause failures in the system.  The other (WinCollect) does not provide secure communications and not completely reliable as it ultimately sends syslog over UDP.  Is there an enhancemen in the works for a reliable and secure method of collecting windows events?

    I noted the support webinars in your posting and glad to see some ability to provide feedback.  Would still like to see a method of voting for potential enhancements.

    Rose,

     

    Yes, there is an existing feature request to add TLS Syslog support to WinCollect. I contacted the PM directly to raise your concern to him. However, I suggest that you also open an RFE https://ibm.biz/BdRPx5 to help push this feature forward.

     

    WinCollect does support TCP syslog. This can be configured in your log source by selecting the TCP option in the Target Internal Destination drop-down. The option to send TCP or UDP can be configured on a per log source basis or by using a destination. I have included a screen capture as an example.

     

    Where:

    A. Is a TCP destination I created that sends to an Event Collector in my deployment.
    B. Is the default local destination created for TCP.
    C. Is the default local destination created for UDP.

     

    You should be able to configure your log sources to send TCP, instead of sending Syslog events using UDP only.  That being said, we are aware of the lack of TLS support and are working on the issue to include it with WinCollect.

     

    Hope this helps...

     

    p.s. Thank you for voting for the support webinars. :)

     

    -----

    Our support webinars are coming soon. Vote on topics you are interested in. For more information, see our webinar topic survey:  https://www.surveymonkey.com/s/QRadarOpenmic

     


     

     

  • RoseD
    RoseD
    17 Posts

    Re: Collecting Security Logs and Printing logs for Laptops

    ‏2014-05-29T01:09:51Z  

    Rose,

     

    Yes, there is an existing feature request to add TLS Syslog support to WinCollect. I contacted the PM directly to raise your concern to him. However, I suggest that you also open an RFE https://ibm.biz/BdRPx5 to help push this feature forward.

     

    WinCollect does support TCP syslog. This can be configured in your log source by selecting the TCP option in the Target Internal Destination drop-down. The option to send TCP or UDP can be configured on a per log source basis or by using a destination. I have included a screen capture as an example.

     

    Where:

    A. Is a TCP destination I created that sends to an Event Collector in my deployment.
    B. Is the default local destination created for TCP.
    C. Is the default local destination created for UDP.

     

    You should be able to configure your log sources to send TCP, instead of sending Syslog events using UDP only.  That being said, we are aware of the lack of TLS support and are working on the issue to include it with WinCollect.

     

    Hope this helps...

     

    p.s. Thank you for voting for the support webinars. :)

     

    -----

    Our support webinars are coming soon. Vote on topics you are interested in. For more information, see our webinar topic survey:  https://www.surveymonkey.com/s/QRadarOpenmic

     


     

     

    Thank you, Jonathan for your reply.  This is helpful and I will open an RFE.  I do wish that I could review other RFEs (no need to see who submitted them)  though so I could vote for those that would be helpful to our organization and others could vote for mine.