Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Microsoft Windows Security Event Log

 

The JSA DSM for MicrosoftWindows Security Event Log accepts syslog events from MicrosoftWindows systems.

For event collection from Microsoft operating systems, JSA supports the following protocols:

  • MSRPC (Microsoft Security Event Log over MSRPC)

  • Syslog (Intended for Snare, BalaBit, and other third-party Windows solutions)

    • Common Event Format (CEF) is also supported.

  • WMI ( Microsoft Security Event Log). This is a legacy protocol.

  • WinCollect. See the Juniper Secure Analytics WinCollect User Guide.

All events, including Sysmon, are supported.

Verifying MSRPC Protocol

For most users, the Microsoft Security Event Log over MSRPC protocol is provided automatically to the JSA appliance through automatic updates.

The MSRPC can be verified through the log sources user interface or by verifying that the Windows Event RPC protocol RPM file is installed from the JSA console.

Verifying MSRPC Protocol from the JSA Console

You can verify that the MSRPC protocol is installed on JSA console by using SSH.

The following RPM files are required to collect and parse events with the MSRPC protocol.

  • PROTOCOL-WindowsEventRPC-<version>.noarch.rpm

  • DSM-DSMCommon-<version>.noarch.rpm

  • DSM-MicrosoftWindows-<version>.noarch.rpm

  1. Log in to JSA console as the root user through SSH.
  2. Type yum list|grep -i windows to verify that MSRPC protocol is installed.
  3. From the output, verify that PROTOCOL-WindowsEventRPC-<version>.noarch.rpm is installed.

    If the MSRPC RPM is installed, but doesn't appear in the user interface as part of the protocols for MicrosoftWindows Security Event Log, the administrator needs to restart the web server.

Verifying MSRPC Protocol from JSA User Interface

You can verify that the MSRPC is installed through the user interface of the JSA console.

  1. Log in to JSA
  2. Click Admin >Data sources.
  3. Click the Log Sources icon
  4. Click Add
  5. In the Log Source Type field, select Microsoft Windows Security Event Log from the list
  6. In the Protocol Configuration field, verify that Microsoft Security Event Log over MSRPC appears in the list

Restarting the Web Server

You must be an administrator to restart the Web Server.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. From the Advanced menu, click Restart Web Service.

Installing the MSRPC Protocol on the JSA Console

You must install the MSRPC protocol RPM on the JSA console before events can be collected from a Windows host.

Ensure that you download the MSRPC protocol RPM from IBM Fix Central.

  1. Log in to the JSA console as a root user.
  2. Copy the MSRPC protocol RPM to a directory on the JSA console.
  3. Go to the directory where you copied the MSRPC protocol RPM by typing the following command:

    cd <path_to_directory>

  4. Install the MSRPC protocol RPM by typing the following command:

    yum –y install PROTOCOL-WindowsEventRPC-<version_number>.noarch.rpm

  5. From the Admin tab of the JSA console, select Advanced >Deploy Full Configuration.
  6. After you deploy the configuration, select Advanced >Restart Web Server.

Enabling MSRPC on Windows Hosts

To enable communication between your Windows host and JSA over MSRPC, configure the Remote Procedure Calls (RPC) settings on the Windows host for the Microsoft Remote Procedure Calls (MSRPC) protocol.

You must be a member of the administrators group to enable communication over MSRPC between your Windows host and the JSA appliance.

Based on performance tests on an JSA JSA Event Processor appliance with 128 GB of RAM and 40 cores (Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80 GHz), a rate of 8500 events per second (eps) was achieved successfully, while simultaneously receiving and processing logs from other non-Windows systems. The log source limit is 500.

Specification

Value

Manufacturer

Microsoft

Protocol type

The operating system dependant type of the remote procedure protocol for collection of events.

Select one of the following options from the Protocol Type list:

  • MS-EVEN6 --The default protocol type for new log sources. The protocol type that is used by JSA to communicate with Windows Vista and Windows Server 2008 and later.

  • MS-EVEN (for Windows XP/2003) --The protocol type that is used by JSA to communicate with Windows XP and Windows Server 2003. Windows XP and Windows Server 2003 are not supported by Microsoft. The use of this option might not be successful.

  • auto-detect (for legacy configurations) --Previous log source configurations for the Microsoft Windows Security Event Log DSM use the auto-detect (for legacy configurations) protocol type. Upgrade to the MS_EVEN6 or the MS-EVEN (for Windows XP/2003) protocol type.

Supported versions

Windows Server 2016

Windows 2012 (most recent)

Windows Server 2012 Core

Windows Server 2008 (most recent)

Windows Server 2008 Core

Windows 10 (most recent)

Windows 8 (most recent)

Windows 7 (most recent)

Windows Vista (most recent)

Intended application

Agentless event collection for Windows operating systems that can support 100 EPS per log source.

Maximum number of supported log sources

500 MSRPC protocol log sources for each managed host (16xx or 18xx appliance)

Maximum overall EPS rate of MSRPC

8500 EPS for each managed host

Special features

Supports encrypted events by default.

Required permissions

The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured.

Windows XP and 2003 operating system users require read access to the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

    services\eventlog

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

    Control\Nls\Language

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows\CurrentVersion

Supported event types

Application

System

Security

DNS Server

File Replication

Directory Service logs

Windows service requirements

For Windows Server 2008 and Windows Vista, use the following services:

  • Remote Procedure Call (RPC)

  • RPC Endpoint Mapper

For Windows 2003, use the Remote Registry and Server.

Windows port requirements

Ensure that external firewalls between the Windows host and the JSA appliance are configured to allow incoming and outgoing TCP connections on the following ports:

For Windows Server 2008 and Windows Vista, use the following ports:

  • TCP port 135

  • TCP port that is dynamically allocated for RPC, above 49152

For Windows 2003, use the following ports:

  • TCP port 445

  • TCP port 139

Automatically discovered?

No

Includes identity?

Yes

Includes custom properties?

A security content pack with Windows custom event properties is available on IBM Fix Central.

Required RPM files

PROTOCOL-WindowsEventRPC-

JSA_release-Build_number.noarch.rpm

DSM-MicrosoftWindows-JSA_release-Build_number.noarch.rpm

DSM-DSMCommon-JSA_release-Build_number.noarch.rpm

More information

Microsoft support (http://support.microsoft.com/)

Troubleshooting tool available

MSRPC test tool is part of the MSRPC protocol RPM. After installation of the MSRPC protocol RPM, the MSRPC test tool can be found in /opt/qradar/jars

  1. Log in to JSA as administrator.
  2. Click the Admin tab.
  3. Click the Log Sources icon.
  4. Click Add.
  5. From the Log Source Type list, select Microsoft Windows Security Event Log.
  6. From the Protocol Configuration list, select Microsoft Security Event Log over MSRPC.
  7. From the Log Source Identifier list, type the IP address or the host name of the Windows system that you intend to poll for events. Host names must be entered as fully qualified domain names (FQDN), such as myhost.example.com.
  8. From the Domain field, type the domain of the Windows system.
  9. Configure the log source user name and password parameters.
  10. Configure the Polling Interval field.Note

    The Polling Interval (Sec) field does not tune log source performance like with WinCollect log sources. To poll low event rate systems with limited bandwidth, you can increase the polling interval to reduce network usage.

  11. Configure the Event Throttle field.
  12. From the Protocol Type list, select the protocol type for your operating system.
  13. Select at least one of the Standard Log Types check boxes. Note

    If you use the Microsoft Security Event Log or Microsoft Security Event Log over MSRPC protocol, select only the log types that are supported on the target Windows host.

  14. Select at least one of the Event Types check boxes.
  15. Click Save.
  16. On the Admin tab, click Deploy Changes.

Diagnosing Connection Issues with the MSRPC Test Tool

Use the MSRPC test tool to check the connection between the JSAappliance and a Windows host.

Ensure that the PROTOCOL-WindowsEventRPC- <version_number> is installed on the JSA appliance.

The MSRPC test tool can be used for troubleshooting connection problems and to test the initial connection between the host and the JSA appliance to ensure that the host is configured properly. Table 1 describes the MSRPC test tool option flags.

Table 1: MSRPC Test Tool Flags

Flags

Description

-? or --help

Displays the help and usage information for the MSRPC tool.

-b

Displays debugging information, if available.

-d <domain>

Active Directory Domain, or hostname if in a workgroup.

-e <protocol>

EventLog Remoting protocol.

Values: MSEVEN, MSEVEN6, and AUTO

Default: AUTO

-h <hostname/ip>

Hostname or IP address of the Windows host.

-p <password>

Password

-u <username>

Username

-w <poll>

Polling mode. Specify one or more event log channels.

Values: Security, System, Application, DNS Server, File Replication Service, Directory Service

Separate multiple values by comma. Example: Application, Security.

Default: Security

  1. Log in to the JSA console.
  2. To use the MSRPC test tool, type the following command:

    cd /opt/qradar/jars

  3. To test for connection between the JSA and the Windows host, type the following command:

    java -jar Q1MSRPCTest.jar

  4. Optional: For more usage options, type java -jar Q1MSRPCTest.jar --help

Enabling WMI on Windows Hosts

To enable communication between your Windows host and JSA, you can use Windows Management Instrumentation (WMI).

You must be a member of the administrators group on the remote computer to configure WMI/DCOM Windows host and the JSA appliance.

The Microsoft Security Event Log protocol (WMI) is not recommended for event collection where more than 50 EPS is required or for servers over slow network connections, such as satellite or slow WAN networks. Network delays that are created by slow connections decrease the EPS throughput available to remote servers. Faster connections can use MSRPC as an alternative. If it is not possible to decrease your network round-trip delay time, we recommend that you use an agent, such as WinCollect.

Specification

Value

Manufacturer

Microsoft

DSM name

Windows Security Event Log

Supported versions

Windows Server 2016

Windows 2012 (most recent)

Windows Server 2012 Core

Windows Server 2008 (most recent)

Windows 10 (more recent)

Windows 8 (more recent)

Windows 7 (most recent)

Windows Vista (most recent)

Special features

Supports encrypted events by default.

Intended application

Agentless event collection for Windows operating systems over WMI that is capable of 50 EPS per log source.

Note: This is a legacy protocol. In most cases, new log sources should be configured by using the Microsoft Security Event Log over MSRPC protocol.

Special configuration instructions

Configuring DCOM and WMI to Remotely Retrieve Windows 7 Events (http://www.ibm.com/support/docview.wss?uid=swg21678809)

Configuring DCOM and WMI to Remotely Retrieve Windows 8 and Windows 2012 Events (http://www.ibm.com/support/docview.wss?uid=swg21681046)

Windows port requirements

You must ensure that external firewalls between the Windows host and the JSA appliance are configured to allow incoming and outgoing TCP connections on the following ports:

  • TCP port 135 (all operating system versions)

  • TCP port that is dynamically allocated above 49152 (required for Vista and above operating systems)

  • TCP port that is dynamically allocated above 1024 (required for Windows XP & 2003)

  • TCP port 445 (required for Windows XP & 2003)

  • TCP port 139 (required for Windows XP & 2003)

Windows service requirements

The following services must be configured to start automatically:

  • Remote Procedure Call (RPC)

  • Remote Procedure Call (RPC) Locator

  • RPC Endpoint Mapper

  • Remote Registry

  • Server

  • Windows Management Instrumentation

Log source permissions

The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured.

The log source user must have access to following components:

  • Window event log protocol DCOM components

  • Windows event log protocol name space

  • Appropriate access to the remote registry keys

Supported event types

Application

System

Security

DNS Server

File Replication

Directory Service logs

Automatically discovered?

No, manual log source creation is required

Includes identity?

Yes

Includes custom properties?

A security content pack with Windows custom event properties is available on IBM Fix Central.

Required RPM files

PROTOCOL-WinCollectWindowsEventLog-

JSA_release-Build_number.noarch.rpm

DSM-MicrosoftWindows-JSA_release-Build_number.noarch.rpm

DSM-DSMCommon-JSA_release-Build_number.noarch.rpm

More information

Microsoft support (support.microsoft.com/)

Troubleshooting tools available

Yes, a WMI test tool is available in /opt/qradar/jars.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. Click the Log Sources icon.
  4. From the Log Source Type list, select Microsoft Windows Security Event Log.
  5. From the Protocol Configuration list, select Microsoft Security Event Log.
  6. From the Log Source Identifier list, type the IP address or the host name of the Windows system that you intend to poll for events. Host names must be entered as fully qualified domain names (FQDN), such as myhost.example.com.
  7. From the Domain field, type the domain of the Windows system.
  8. Configure the log source user name and password parameters.
  9. Select at least one of the Standard Log Types check boxes. Note

    If you use the Microsoft Security Event Log or Microsoft Security Event Log over MSRPC protocol, select only the log types that are supported on the target Windows host.

  10. Select at least one of the Event Types check boxes.
  11. Click Save.
  12. On the Admin tab, click Deploy Changes.