Configuration Options for Systems with Restricted Policies for Domain Controller Credentials
Users with appropriate remote access permissions might be able to collect events from remote systems without using domain administrator credentials. Depending on what information you collect, the user might need extra permissions. To collect Security event logs remotely, for example, the user that is configured in the JSA log source must have remote access to the Security event log from the server where the Agent is installed.
For remote collection, the WinCollect user must work with their Windows administrator to ensure access to the following items:
Security, system, and application event logs
The remote registry
Any directories that contain .dll or .exe files that contain message string information
With certain combinations of Windows operating system and group policies in place, alternative configurations might not be possible.
Remote collection inside or across a Windows domain might require domain administrator credentials to ensure that events can be collected. If your corporate policies restrict the use of domain administrator credentials, you might be required to complete more configuration steps for your WinCollect deployment.
When WinCollect agents collect events from the local host, the event collection service uses the Local System account credentials to collect and forward events. Local collection requires that you install a WinCollect agent on a host where local collection occurs.
Changing WinCollect Configuration from the Command Line
You can change the configuration of a WinCollect agent from the command line of the Windows host.
After the initial installation of a WinCollect agent on a Windows
host, you can change the configuration by using the
installhelper.exe file that is located in the <WinCollect_installation_path>/bin.
The following configuration parameters can be modified:
Table 1: Modifiable Configuration Parameters
Authorizes the WinCollect service, for example,
Configuration Server (host and port)
The IP address or host name of your JSA Console, for example, 184.108.40.206 or myhost.
Default Status Server Address
Displays the IP address of the Configuration Server, where status messages from the WinCollect agent are sent.
has the following update flags:
Provides detailed information on the installHelper.exe usage options.
-P [ --update-password ]
Update a password in the AgentConfig.xml configuration file. Specify the Login.Handle and new password, colon separated.
For example, 1:MyNewPassword.
Note: The password is in plain text.
-F [ --update-password-with-file ]
Update a set of passwords in the AgentConfig.xml configuration file using an external file. Specify the Login.Handle and new password, colon separated, one per line.
For example, 1:MyNewPassword.
Note: Make sure you erase the input file or keep it secured.
-T [ --update-auth-token ]
The new authentication token to be used to communicate with the configuration server.
For example, to change an authorization token for a WinCollect agent, type the following in the command line of the Windows host:
<WinCollect_installation_path>/bin/installHelper.exe -T <authorization_token>
Local Installations with No Remote Polling
Install WinCollect locally on each host that you cannot remotely poll. After you install WinCollect, JSA automatically discovers the agent and you can create a WinCollect log source.
You can specify to use the local system by selecting the Local System check box in the log source configuration.
Local installations are suitable for domain controllers where the large event per second (EPS) rates can limit the ability to remotely poll for events from these systems. A local installation of a WinCollect agent provides scalability for busy systems that send bursts of events when user activity is at peak levels.
Configuring Access to the Registry for Remote Polling
Before a WinCollect log source can remotely poll for events, you must configure a local policy for your Windows-based systems.
When a local policy is configured on each remote system, a single WinCollect agent uses the Windows Event Log API to read the remote registry and retrieve event logs. The Windows Event Log API does not require domain administrator credentials. However, the event API method does require an account that has access to the remote registry and to the security event log.
By using this collection method, the log source can remotely read the full event log. However, the method requires WinCollect to parse the retrieved event log information from the remote host against cached message content. WinCollect uses version information from the remote operating system to ensure that the message content is correctly parsed before it forwards the event to JSA.
- Log on to the Windows computer that you want to remotely poll for events.
- Select Start >StartPrograms >Administrative Tools and then click Local Security Policy.
- From the navigation menu, select Local Policies >User Rights Assignment.
- Right-click Manage auditing and security log >Properties.
- From the Local Security Setting tab, click Add User or Group to add your WinCollect user to the local security policy.
- Log out of the Windows host and try to poll the remote
host for Windows-based events that belong to your WinCollect log source.
If you cannot collect events for the WinCollect log source, verify that your group policy does not override your local policy. You can also verify that the local firewall settings on the Windows host allow remote event log management.
Windows Event Subscriptions for WinCollect Agents
To provide events to a single WinCollect agent, you can use Windows event subscriptions to forward events. With event subscriptions configured, numerous Windows hosts can forward their events to JSA without administrator credentials.
The events that are collected are defined by the configuration of the event subscription on the remote host that sends the events. WinCollect forwards all of the events that are sent by the subscription configuration, regardless of what event log check boxes are selected for the log source.
Windows event subscriptions, or forwarded events, are not considered local or remote, but are event listeners. The WinCollect Forwarded Events check box enables the WinCollect log source to identify Windows event subscriptions. The WinCollect agent displays only a single log source in the user interface, but this log source is listening and processing events for potentially hundreds of event subscriptions. One log source in the agent list is for all event subscriptions. The agent recognizes the event from the subscription, processes the content, and then sends the syslog event to JSA.
Forwarded events are displayed as Windows Auth @ IP address in the Log Activity tab. Conversely, locally or remotely collected events appear as Windows Auth @ IP address or hostname. When WinCollect processes a locally or remotely collected event, WinCollect includes an extra syslog header that identifies the event as a WinCollect event. Because the forwarded event is a pass-through or listener, the extra header is not included, and forwarded events appear like standard and don't include the WinCollect identifier.
WinCollect collects only those forwarded events that appear in the Windows Event Viewer.
If you have domain controllers, consider installing local WinCollect agents on the servers. Due to the potential number of generated events, use a local log source with the agent installed on the domain controller.
Supported Software Environments
Event subscriptions apply only to WinCollect agents and hosts that are configured on the following Windows operating systems:
Windows 8 (most recent)
Windows 7 (most recent)
Windows Server 2008 (most recent)
Windows Server 2012 (most recent)
Windows Vista (most recent)
Windows 10 (most recent)
WinCollect is not supported on versions of Windows that have been moved to End Of Life by Microsoft. After software is beyond the Extended Support End Date the product might still function as expected, however, Juniper Networks will not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For example, Microsoft Windows Server 2003 R2 and Microsoft Windows XP are operating systems that are beyond the 'Extended Support End Date'. Any questions about this announcement can be discussed in the JSA Collecting Windows Events (WMI/ALE/WinCollect) forum. For more information, see https://support.microsoft.com/en-us/lifecycle/search (https://support.microsoft.com/en-us/lifecycle/search).
For more information about event subscriptions, see your Microsoft documentation or the Microsoft technical website (http://technet.microsoft.com/en-us/library/cc749183.aspx).
Troubleshooting Event Collection
Microsoft event subscriptions don't have an alert mechanism to indicate when an event source stopped sending. If a subscription fails between the two Windows systems, the subscription appears active, but the service that is responsible for the subscription can be in an error state. With WinCollect, the remotely polled or local log sources can time out when events are not received within 720 minutes (12 hours).
Using Microsoft Event Subscriptions
To use event subscriptions, you must complete these tasks:
WinCollect supports event subscriptions with the following parameters:
Forwarded Events selected in the Destination log list.
RenderedText for the content format.
en_US for the locale.
- Configure event subscriptions on your Windows hosts.
- Configure a log source on the WinCollect agent
that receives the events.
You must select the Local System check box and Forwarded Events check box for the WinCollect log source.