Académique Documents
Professionnel Documents
Culture Documents
Last Modified: October 01, 2010 Event Source (Device) Product Information Vendor Event Source (Device) Supported Versions
Microsoft Windows NT, 2000, XP, 2003, Vista Business, Ultimate, and Enterprise (using SNARE), Server 2008 (Agentless or using SNARE), Windows Server 2008 Enterprise with Hyper-V, Server 2008 R2 Standard, Enterprise, and Datacenter (Agentless or using SNARE), Web Server 2008 R2 (Agentless or using SNARE), 7 Professional, Ultimate, and Enterprise (Agentless)
This document contains the following information for the Microsoft Windows event source:
l
Configuration Instructions Release Notes for Content 2.0 Release Notes for Standard Content
1. Click Start > Settings > Control Panel > Administrative Tools > Event Viewer. 2. Right-click System, and select Properties. 3. Select Overwrite events as needed. 4. Click Apply, and click OK. 5. Repeat steps 2 to 4 for Application and Security.
1. Log on to Windows with an account that has administrative credentials. 2. Click Start > Settings > Control Panel > Administrative Tools. 3. Double-click Local Security Policy to start the Local Security Settings MMC snap-in. 4. Double-click Local Policies to expand the folder, and double-click Audit Policy. 5. In the right pane, double-click the policy that you want to enable or disable. 6. Select Success (audited security access attempt that succeeds), Fail (audited security access attempt that fails), or both for logging on and logging off.
Because the Security log is limited in size, select the fields and folders to audit carefully. Also consider the amount of disk space that you are willing to allocate to the Security log. You define the maximum size in the Windows Event Viewer. Important: For Active Directory 2008 auditing, see the Microsoft Technet article, AD DS Auditing Stepby-Step Guide. Go to http://technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx.
To set up auditing:
1. Open Windows Explorer, and locate the file or folder that you want to audit. 2. Right-click the file or folder, and select Properties. 3. On the Security tab, click Advanced, and click the Auditing tab. 4. Do one of the following:
l
To set up auditing for a new group or user, click Add. In the Name field, enter the name of the user that you want to audit, and click OK. To view or change auditing for an existing group or user, click the group or user, and click View/Edit. To remove auditing for an existing group or user, click the group or user, and click Remove. Go to step 6.
5. If you are adding or editing a group or user, do the following: a. In the Access list box, for each type of access that you want to audit, select Successful, Failed, or both. b. To prevent files and subfolders in the tree from inheriting these audit entries, select Apply these auditing entries. c. Click OK. 6. Click OK. Note: If the checkboxes in the Access list box in the Auditing Entry dialog box are unavailable, or if the Remove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from the parent folder.
Set Up Collection
You can set up either of two methods of collection for Windows logs:
l l
Note: If you cannot collect messages from a Windows Server 2003 or 2008 event source, set up the Remote Registry Service account to run as the LocalSystem, not LocalService.
Important: You must have administrator privileges to read the event logs and retrieve the Application and System messages. You can get security messages without administrator privileges if you set Manage auditing and security log policy for the user.
Prerequisites
You must be running RSAenVision 4.0 Service Pack 3 or newer. Additionally, ensure you updated enVision by installing the following (available for download from SecurCare Online):
l l l
1. In enVision, click Overview > System Configuration. 2. Click Services > Device Services > Windows Service > Manage Windows Service. 3. Select the Windows Agentless Collector Service for each event source for which you will be using the Windows Eventing Collector Service. 4. Click Delete.
1. Add or update the alias for the event source as follows: a. Open a new command shell, and change directories to the E:\nic\enVision version\node_ name\collection-services\winevent directory. b. Run one of the following commands:
l
c. Follow the prompts to provide your information. For details,see the enVision Help. d. Enter the list of channels to which to subscribe. Use a comma as the delimiter between channel names. Note: You must enter the names as they appear in the list below. If you misspell any channel name, events from that channel will not be collected. 2. To test your configuration, type:
wineventconfig.exe -t.
Channel Microsoft-Windows-Hyper-V-Config-Admin Channel Microsoft-Windows-Hyper-V-Config-Operational Channel Microsoft-Windows-Hyper-V-Hypervisor-Admin Channel Microsoft-Windows-Hyper-V-Hypervisor-Operational Channel Microsoft-Windows-Hyper-V-VMMS-Admin Channel Microsoft-Windows-Hyper-V-Worker-Admin Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Admin Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Operational Channel Microsoft-Windows-Hyper-V-SynthStor-Admin Channel Microsoft-Windows-Hyper-V-Integration-Admin Channel Microsoft-Windows-Hyper-V-SynthNic-Admin
Legacy Collector
The NIC Windows Service retrieves Windows logs from remote systems without installing any thirdparty software. This method is known as agentless Windows collection.
If you use agentless collection, the Remote Registry Service must be running on the remote server. This service allows a remote station to access the event logs. If you use a third-party collection application or an agent, you do not need to configure the NIC Windows Service.
InterSect Alliance SNARE BackLog InterSect Alliance SNARE Adiscon EventReporter andDNSServer
Note: If you install SNARE agent on a Windows Vista or Server 2008 system, you must use SNARE for Windows Vista version 1.1.1.
1. Set the Target Host to the hostname of the enVision appliance collecting the events. 2. Set the Syslog Category to Syslog - Debug. 3. Set the Delimiter to Comma. If you set these incorrectly, you can run configurator.exe, located in the installation directory (the default installation directory is C:\Program Files\Backlog).
1. Set the Destination Snare Server Address to the IP address of the enVision appliance collecting the events. 2. Set the Destination Port to 514. 3. Set the Syslog facility to Syslog. 4. Set the Syslog Priority to Debug. 5. Ensure that Enable Syslog Header is selected.
6. Copy the SNAREdelimiter.reg file from the \etc\devices\winevent_snare directory on the enVision appliance to the machine on which you installed SNARE. 7. To update the SNARE registry with the proper delimiter setting, right-click the SNAREdelimiter.reg file, and select Merge. When prompted to continue, click Yes. 8. On the Windows Start menu, click Settings > Control Panel > Administrative Tools > Services. 9. Restart the SNARE service.
To install and set up InterSect Alliance SNARE on Windows Server 2008 Server Core:
1. Click My Computer > Tools > Map Network Drive, and follow these steps to map a drive: a. From the Drive drop-down list, select the drive to be mapped to. b. In the Folder field, enter the IP address of the drive to be mapped. For example, if the IP address of the core server machine is 1.1.1.1 and the drive to be mapped is C:, enter \\1.1.1.1\c$ in the Folder field. c. Select Reconnect at logon. d. Select Connect using a different user name option, and enter the logon credentials for the Server Core machine. 2. Create a new directory on Server Core, such as C:\files. 3. Copy the SNARE installation file (downloaded from http://www.intersectalliance.com/projects/SnareWindows/index.html#Download to the local machine) and the .reg file (from the \etc\devices\winevent_snare directory on the enVision appliance) to the directory that you created in step 2. 4. Follow these steps to install SNARE on the Server Core installation: a. Open a command shell, and change directories to the directory that you created in step 2. b. To install SNARE, type:
C:\files\SnareSetupVista-1.1.1-MultiArch.exe
Note: When installing the SNARE agent on a Server 2008 Server Core installation, you must set the Remote Control Interface setting to YES with password. If this option is not selected, the SNARE agent can only be configured through the registry. c. To update the SNARE registry with the proper delimiter setting, type:
C:\files\SNAREdelimiter.reg
When prompted to continue, click Yes. 5. To configure the settings through the Internet, connect to the interface through a web browser. For example if the IP address of the Server Core host is 1.1.1.1, go to http://1.1.1.1:6161/ Note: If a firewall prevents the connection, to make a rule that allows connection to the web interface, you can run the command:
6. To configure the settings, follow steps 1 to 5 of the preceding SNARE setup procedure. 7. Follow these steps to restart the service: a. To stop the service, at the command prompt, type:
C:/sc stop snare
Set Up EventReporter
To set up Adiscon EventReporter:
1. On the Windows Start menu, click Programs > EventReporter > EventReporterConfiguration. 2. In the left-hand panel, double-click Configured Services, and follow these steps: a. Click Default EventLog Monitor > Advanced Options. b. Select Use Legacy Format. c. Select only Add Facilitystring, Add Username, and Add Logtype. d. Click Save. 3. Follow these steps to configure syslog forwarding: a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog > Actions. b. Select Forward Syslog.
c. In the Syslog Server field, enter the IP address of the enVision appliance collecting the events. d. Clear Add Syslog Source when forwarding to other Syslog servers. e. Leave all other options at the default settings. 4. Restart the EventReporter service.
Set Up Hyper-V
This procedure is optional. Follow these steps only if you are configuring Hyper-V.
To configure Hyper-V:
Note: EventReporter 11.1 is required to configure Hyper-V support. 1. On the Windows Start menu, click Programs > EventReporter > EventReporterConfiguration. 2. To create a rule set, follow these steps: a. In the left-hand panel, right-click Rule Sets, and select Add Rule Set. b. Name the rule set, and click Next. c. Select Forward Syslog, and accept all other defaults to add the rule set. d. Select your rule set from RuleSets, and click Forward Syslog > Actions > Forward Syslog. e. Accept all defaults, and complete the fields as follows:
l l
Syslog Server: The IPaddress of your enVision appliance Message format: [%level%] %timegenerated%:
%user%/%source%/%sourceproc% (%id%) - "%msg%"
Note: If you cut and paste the message format string, ensure it does not contain any line or paragraph breaks.
3. To configure a service to use the rule set, follow these steps: a. Right-click Configured Services, and click Add Service > Event Log Monitor V2. b. Accept all defaults, and click Next. c. Click Finish. d. Click the new service. e. By default, all items are selected. Clear all items except those that start with the string, Microsoft-Windows-Hyper-V. Note: The Hyper-V items are under New EventLog - Serviced Channels > Microsoft > Windows. f. In the Rule Set to Use field, select your rule set. g. Click Save. 4. Restart the EventReporter service.
1. On the Windows Start menu, click All Programs > EventReporter > EventReporter Configuration. 2. In the left-hand panel, double-click Configured Services, and follow these steps: 10
a. Click Default EventLog Monitor > Advanced Options. b. Select Use Legacy Format. c. Select only Add Facilitystring, Add Username, and Add Logtype. d. Click OK. 3. Following these steps to configure syslog forwarding: a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog > Actions. b. Select Forward Syslog. c. In the Syslog Server field, enter the IP address of the enVision appliance collecting the events. d. Clear Add Syslog Source when forwarding to other Syslog servers. e. Leave all other options at the default settings. 4. Restart the EventReporter service.
11
Microsoft Windows Release Notes (20100810-182943) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Microsoft Windows Release Notes (20100628-101107) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
Reports
To get support for all Windows reports, you must select the Windows Events (BL) item from the Event Source list during installation.
Microsoft Windows Release Notes (20100504-112249) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
12
13
Attribute
Old Variable
New Variable <directory> <directory> <workstation> <fld7> <expiration_time> <groupid> <fld10> <change_old> <change_new> <acct_control> <param> <info2> <info2>
Script Path: <fld5> Profile Path: <fld6> User Workstations: <workstation> Password Last Set: <fld7> Account Expires: <fld8> Primary Group ID: <fld9> AllowedToDelegateTo: <fld10> Old UAC Value: <fld11> New UAC Value: <fld12> User Account Control: <acct_control> User Parameters: <param> Sid History: <fld15> Logon Hours: <fld16>
Note: The variables <info1>, <directory>, and <info2> contain the values for all of their respective fields. The first attribute for each variable does not display its name in the field. For example, <info1> would hold the values: data8 Display Name: data9 User Principal Name: data10 where data8 is the value for Sam Account Name.
Microsoft Windows Release Notes (20100128-170125) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.
14
The enVision Windows Collector cannot retrieve messages from Windows Server 2008, Windows 7, and Windows Vista event sources. The enVision Windows Collector can collect messages from the "Legacy" event stores, such as Application, System, and Security.
Windows 7 Professional Windows 7 Ultimate Windows 7 Enterprise Windows Vista Business Windows Vista Ultimate
reason resultcode
reason resultcode
3 1 1 1
Error Code reason resultcode Error Code reason resultcode Status Code reason resultcode
In Snare, this field is not parsed to code and resultcode. In Snare, this field is now parsed to privileges and resultcode.
15
For the Windows Server 2003 messages, nothing changed except that the data in the "Old variable" now also appears in "Variable used for the copy" for forward compatibility with the Windows Server 2008 messages. The new variable can now also be used in future reports.
Variables Replaced
Field Old New 2008 var2008 iable used variable instead reason status resultcode resultcode resultcode resultcode 1 1 1 1 1 1 Number of Event messages IDs affected 4625 4695 4768 Also, the same field is still 4776 parsed to reason using a variable copy 4777 6272 Notes
Failure Reason fld Status status Sub Status reason Status Code fld Status Code result Error Code Error Code Result reason
INFO Buckets
Field Failure Reason State Exit Status Status Code Failure Code Audit Status Code Reason Return Code Variable Number of messages affected Event IDs
4652, 4653, 4689, 4692, 4693, 4694, 4769, 4771, 4772, 4935, 4936, 4957, 4958, 4983, 4984, 5057, 5060, 6273
Windows - Detected DoS Attacks Windows - Packets Discarded Due To DoS Attack Windows - Packets Blocked By Windows Filtering Platform
RSA modified the following report under Host - Windows - Logon Logoff.
16
Report Name
Changes
Report Description was modified. Column User Name was renamed to Primary User Name. Column Primary Domain was added. Column Logon Account Name was added. Windows - Logons logoffs by User Column Logon Account Domain was added. Column Primary Domain Name was added. Column Primary Logon ID was added. Column Domain Name was removed.
Event Changes
RSA added support to the following Security Event IDs for Agentless Collection.
Event ID 697 4817 5142 5143 5144 5145 5148 5149 5150 5151 5168 6281 6400 6401 6402 6403 6404 6405 6406 6407 6408 1 2 3 103 107 Provider Security Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-EventLog Microsoft-Windows-EventLog Microsoft-Windows-EventLog Microsoft-Windows-EventLog Microsoft-Windows-EventLog
RSA modified the event category for the following message IDs.
17
C Message ID Security_513_Security Security_4776_Microsoft-Windows-SecurityAuditing Security_4753_Microsoft-Windows-SecurityAuditing Security_4741_Microsoft-Windows-SecurityAuditing Security_4742_Microsoft-Windows-SecurityAuditing Old Event Category System.Startup User.Management.Permissions User.Activity.Logoff New Event Category System.Shutdown Auth.General User.Management.Groups.Deletions
Policies.Rights.Successful.Privileged User.Management.Users.Additions Use Policies.Rights.Successful.Privileged User.Management.Users.Modifications Use Policies.Rights.Successful.Privileged User.Management.Users.Deletions Security_4743_Microsoft-Windows-SecurityUse Auditing User.Activity.Logoff User.Management.Users.Deletions
Table Changes
RSA made the following table change.
Message ID Old Table New Table System_6008_EventLog Windows Level Windows Accounting
operation_id process_id misc_id process_id process pid user_id username user_id process_id process_id groupid group groupid
18
Event IDs 632, 633, 634, 637, 638, 639, 641, 659, 660, 661, 662, 668
For the Windows Server 2003 messages, nothing changed except that the data in the "Old variable" now also appears in "Variable used for the copy" for forward compatibility with the Windows Server 2008 messages. The new variables can now also be used in future reports.
Variables Replaced
Field Process ID Object handle Domain ID Supplied Realm Name Access Mask Old 2008 variable handle_id misc_id misc_id misc_ name peer_id New 2008 variable used instead process_id obj_handle domain_id domain mask directory c_logon_id misc_id, misc_ name options 10 c_domain auth_type service 13 1 6 4764, 4758, 4759, 4760, 4761, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4792 4735 4783, 4784, 4789, 4790, 4791, 4792 Number of messages affected 13 1 4 1 1 Event IDs 4624, 4625, 4648, 4688, 4689 4674 4706, 4707, 4716, 4739 4768 4662
Home Directory Logon ID Creator Process ID, service Ticket Options variable of New Logon: form 'fld' Account Domain Pre-Authentication Type Service Name
Group: Security fld groupid ID Group: Security handle_id groupid ID c_user_ Group Name group name
19
INFO Buckets
Field Privileges/ User Rights Accesses Access Mask User Workstation/ Caller Computer Name Subject: Account Name Authentication Package Group: Security ID Group Name Attributes Variable privileges accesses mask workstation username auth_package groupid group info 3 31 4624, 4625, 4656, 4661, 4704, 4705, 4713, 4714, 47264734, 4739-4741, 4743, 4754-4757, 4769-4772, 4780, 4729, 4730, 4733, 4734 Number of messages affected Event IDs
l l
FISMA - Personal Termination - Windows Server 2003 HIPAA - Access Establishment and Modification - Windows Server 2003 Detail HIPAA - Password Changes and Expirations - Windows Server 2003 Host - Windows - Account Management - Computer Account Changes - Windows Server 2003 Host - Windows - Account Management - User Group Account Changes - Windows Server 2003 Host - Windows - Policy Changes and Audit logs - Trusted Domain Changes - Windows Sever 2003 Host - Windows - Policy Changes and Audit logs - User Rights Changes - Windows Server 2003 Host - Windows - User Activity - Applications by Users - Windows Server 2003
HIPAA - ePHI Access Report HIPAA - Automatic Workstation Logoff HIPAA - Login Attempts by Unauthorized Accounts - Windows HIPAA - Manual Workstation Logoffs - Windows HIPAA - ePHI Access Report - Windows Detail PCI - Initialization of all audit logs Host - Windows - Restarts/Shutdowns - System Restarts/Shutdowns Host - Windows - Policy Changes and Audit logs - Audit Log Cleared Host - Windows - Policy Changes and Audit logs - Audit Log Full Host - Windows - Policy Changes and Audit logs - Audit Policy Changes Host - Windows - Policy Changes and Audit logs - Policy Changes Summary
20
Report Name
Changes
Host - Windows - Account Management - Local Replaced User Name by Group Name in result set Group Account Changes Host - Windows - Account Management - Universal Replaced User Name by Group Name in result set Group Account Changes The report description was modified: Host - Windows - Files/Objects Access - Access to Files
l
Column Domain has been renamed to Primary Domain Name Column User Name has been renamed to Primary User Name Column Domain has been renamed to Primary Domain Name Column User Name has been renamed to Primary User Name Column Domain has been renamed to Primary Domain Name Column User Name has been renamed to Primary User Name Column Client User Name has been added Column Client Domain Name has been added Column User Name has been renamed to Primary User Name Column Logon Account Name has been added Column Username has been renamed to Primary Username Column Logon Account Name has been added Column Username has been renamed to Primary Username Column Logon Account Name has been added Column Username has been renamed to Primary Username Column Logon Account Name has been added Column Username has been renamed to Primary Username Column Logon Account Name has been added
The report description was modified: Host - Windows - Files/Objects Access - Registry Access
l
l l
The report description was modified: HIPAA - Access Authorization - Windows Details
l
The report description was modified: HIPAA - Failed Logon Attempts to ePHI Systems
l
The report description was modified: Host - Windows - Logon/Logoff - Local Logons/logoffs by User
l
21
Report Name
l
Changes
Column Primary Logon ID has been added Column User Name has been renamed to Primary User Name Column Domain Name has been renamed to Primary Domain Name Column Logon Account Name has been added Column Logon Domain has been added
l l
HIPAA - ePHI Access Report By Administrative Users FISMA - Personal Termination - Windows
Removing the Windows Server 2003 events Column UserName has been renamed to Target UserName
HIPAA - Access Establishment and Modification - Removing the Windows Server 2003 events where we Windows Detail also introduced a Group Name
l l
Host - Windows - Account Management - Computer Account Changes Host - Windows - Account Management - User Group Account Changes
l l
l l
l l
Host - Windows - Policy Changes and Audit logs Trusted Domain Changes
l l
Host - Windows - Policy Changes and Audit logs User Rights Changes
Removing the Windows Server 2003 events Column UserName has been renamed to Target Username Column Domain Name has been renamed to Target Domain Name Removing the Windows Server 2003 events Column User Name has been renamed to Target User Name Removing the Windows Server 2003 events Column User Name has been renamed to Target User Name Removing the Windows Server 2003 events Column Domain Name has been renamed to Target Domain Column User Name has been renamed to Event User Column Client Domain has been renamed to User Domain Column Client User Name has been renamed to User Name Removing the Windows Server 2003 events Column User Name has been renamed to Event User Column Client Domain has been renamed to Domain Name Column Client User Name has been renamed to User Name Column Target User Name has been added
22
Changes
Removing the Windows Server 2003 events The Column Name has been removed The Column Process ID has been added
For Adiscon EventReporter, configuration for DNS servers was added. For Active Directory Auditing, Active Directory 2008 messages were refined. For InterSect Alliance SNARE, DNS Server logs are not supported by Snare for Windows Vista 1.1.1 on Windows Server 2008.
23