Microsoft Security Event Log over MSRPC log source parameters for Microsoft Windows Security Event Log
If QRadar does not automatically detect the log source, add a Microsoft Windows Security Event Log log source on the QRadar Console by using the Microsoft Security Event Log over MSRPC protocol.
When using the Microsoft Security Event Log over MSRPC protocol, you must use some specific parameters.
Parameter | Value |
---|---|
Log Source type | Microsoft Windows Security Event Log |
Protocol Configuration | Microsoft Security Event Log over MSRPC |
Log Source Identifier |
Type the IP address or hostname for the log source as an identifier for events from your Microsoft Windows Security Event Log devices. |
The following table lists the configuration options of the MSRPC protocol.
Features | Configuration options for MSRPC protocol |
---|---|
Protocol type |
The protocol type for collecting events through the remote procedure. The protocol type depends on your operating system. Select one of the following options from the Protocol Type list:
Important: The MS-EVEN (for Windows XP/2003) option is no longer
supported. However, it still appears in the Protocol Type list.
|
Log Source Identifier | An identifier string for this log source. It must not include spaces and must be unique among all log sources of the protocol type that is configured with the Windows Security Event Log over MSRPC protocol. |
Domain | If your username requires you to specify the domain, include it separately in this field rather than using <DOMAIN\USERNAME> as the username. |
Username | Username required to access the Windows host. |
Password | Password required to access the Windows host. |
Polling Interval (sec) | The frequency at which the log source attempts to obtain data. The default value is 5000, but the upper limit of the protocol is around 100 EPS. |
Standard Log Types | The event channels from where you need to pull events: Application System Security DNS Server File Replication Directory Service logs |
Event Types | The level of event type from where you need to pull the selected event
channels: Informational Warning Error Success Audit Failure Audit |
For a complete list of supported features of Microsoft Security Event Log over MSRPC protocol parameters, see Microsoft Security Event Log over MSRPC Protocol.