With Windows Event Collector (WEC), you can get events from remote computers and store them in a local event log on a collector computer. For events forwarded from a remote computer (client), this functions through a subscription that receives and stores these events.
USM Anywhere provides the Windows Event Collector sensor app, which you can use to set up event collection through a deployed sensor. You configure the Windows machines (clients) to forward the logs to the USM Anywhere Sensor, which works as the collector.
Setup for the Windows Event Collector sensor app requires the following
A Windows Server 2008 (or newer) host
This is the host that you use to set up Windows Event Forwarding to the Windows Event Collector running on the USM Anywhere Sensor.
- PowerShell 3.0 or newer (required to use the certificate installer script)
- A USM Anywhere Sensor with a private, static IP address, deployed in the same network as the Windows Server and the client systems that forward logs to the sensor
The Windows Server needs a certificate to establish a trusted connection between the USM Anywhere Sensor (collector) and Windows instances (clients). This certificate is available to download as a USM-NXLog-client.pfx file from USM Anywhere when you enable the Windows Event Collector sensor app.
To download the certificate for the sensor app
- In USM Anywhere, go to DATA SOURCES > INTEGRATIONS.
Click the Sensor Apps tab.
In left navigation list, select Windows Event Collector.
Select the sensor where you want to use the app.
The app operates through a deployed sensor. If you have more than one deployed sensor, choose the sensor that is deployed in the same network as the Windows Server and client systems where you plan to configure a subscription and log forwarding to USM Anywhere.
In the Status tab, click the Download NXLog Certificates link.
Make sure that you save the downloaded certificate to a location where it is available for local installation on the Windows Server.
AlienVault provides a PowerShell installer script that you can use to automatically install the certificates. However, if you prefer to configure this manually, you can follow the manual procedure to install the certificate on your Windows Server.
The NXLog Certificate Installer script is the easiest method for installing the NXLog certificates on your Windows Server so that you can configure Windows event forwarding for a USM Anywhere Sensor.
To use the installer script
In the Status tab, click the Download the NXLog Certificate Installer link.
Make sure that you save the downloaded script to a location where it is available to run locally on the Windows Server.
On the Windows Server, execute the script from a PowerShell terminal.
Note: If execution policies on the host are restricted, you could see the following error:
File cannot be loaded because the execution of scripts is disabled on this system
In this case, you can temporarily set the execution policy to unrestricted. After you run the certificate installation script, you can revert the policy change.
- At the dialog prompt, select the certificate file.
(Optional) Remove previous certificates.
The script automatically asks to remove the previous certificates in the case of an earlier USM Anywhere NXLog installation.
Important: It is highly recommended that you remove the previous certificates to avoid potential conflicts. The system provides an individual confirmation for each certificate that it will remove.
When the installation is complete, the terminal window displays a confirmation and provides information about next steps to set up event forwarding. This is a summary of the information provided in Set Up Windows Event Forwarding.
If you prefer not to use the provided PowerShell installer script to install and configure the NXLog certificate on your Windows Server, you can perform this process manually. After the initial certificate installation, use the Microsoft Windows HTTP Services (WinHTTP) Certificate Configuration Tool (WinHttpCertCfg.exe) to complete the configuration of the client certificate.
To install the certificate
- Copy the downloaded certificate file to the Windows Server.
Double-click the USM-NXLog-client.pfx file.
This launches the Certificate Import Wizard to guide the process.
For the Store Location, select the Local Machine.
Note: Windows 2008 does not present the option to import into the Local Machine certificate store. For Windows 2008 installations, use the information in the following Microsoft document to import the certificate into the Local Machine certificate store:
If the wizard prompts you for a password, leave it blank and click Next.
Select the option to automatically store the certificate and click Next to finish.
To configure the Windows HTTP Services
Important: In order to access the Security event log, the Network Service account must be in the Event Log Readers group.
If you do not already have the WinHttpCertCfg.exe tool on your Windows Server, download and install it.
Navigate to the Administrative Tools and open the Computer Management utility.
Select Local Users and Groups > Groups > Event Log Readers.
Right-click the item and choose Add to Group.
- In the dialog, click Add.
Enter NETWORK SERVICE as the object name and click Check Names.
- Click OK in the dialogs and then close the Computer Management utility.
Give the Network Service account access to the installed certificate:
winhttpcertcfg -g -c LOCAL_MACHINE\my -s USM-NXLog-client -a NetworkService
If winhttpcertcfg is not in the path, you might find it in C:\Program Files (x86)\Windows Resource Kits\Tools\.
Important: If you add the Network Service account to the Event Log Readers group later, it will require that you grant the account access to the certificate again.
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device and forwards the events you choose to a Windows Event Collector (WEC) server. On the device that you set up as an Event Log collector, you configure subscriptions that pull the desired logs from any number of source computers. No special configuration is required on the source computers, other than that Windows Remote Management (WinRM) should be enabled, the WinRM Windows Firewall exceptions be enabled, and the computer account for the collector must have read permission on the logs that you want to subscribe to.
USM provides the log forwarding policy that you use to set up the WEF on your Windows Server.
To get the USM Anywhere log forwarding policy
- In USM Anywhere, go to DATA SOURCES > INTEGRATIONS.
Click the Sensor Apps tab.
In the left navigation list, select Windows Event Collector.
- Select the sensor where you enabled the sensor app.
Copy the Log Forwarding Policy that is displayed in the page.
The policy follows this pattern:
To configure the policy on your Windows Server
- On the Windows Server, navigate to the Control Panel and open the Local Group Policy Editor.
- Select Computer Configuration > Administrative Templates > Windows Components > Event Forwarding and then click Configure target Subscription Manager.
Click the Edit policy setting link.
- In the dialog, make sure the subscription is marked as Enabled.
Click Show to open the subscription managers.
Paste the policy that you copied from USM Anywhere into the new subscription value field.
- Click OK and close the Local Group Policy Editor.
Open the terminal and apply the configurations with the following command:
You can verify your event log collection configurations by checking the logs.
To check the event logs
On the Windows Server, open the Event Viewer.
Navigate to Applications and Services Logs > Microsoft > Windows > Eventlog-ForwardingPlugin and check for any errors.
You could see warnings if there are any paths that are not configured on your Windows Servers.
If the event log collection configuration is without errors or warnings, you can view the events in the USM Anywhere Events page.
System Monitor (Sysmon) is a Windows system service and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. Sysmon is a free Windows Sysinternals tool from Sysinternals/Microsoft.
Note: Installing Sysmon is optional, but recommended.
To install Sysmon
- Download the Sysmon ZIP file and unzip it in the target system.
Download the Sysmon configuration file to a folder and name the file as sysmon_config.xml.
Install Sysmon in the Windows system and execute the following command:
sysmon.exe -accepteula -h md5 -n -l -i sysmon_config.xml
Sysmon starts logging the information to the Windows Event Log.
- Open USM Anywhere and verify that you are receiving Sysmon events.
Related Video Content
To view other related training videos, click here.