Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Microsoft Windows Security Event Log

 

The JSA DSM for Microsoft Windows Security Event Log accepts syslog events from Microsoft Windows systems. All events, including Sysmon and Winlogbeat.json, are supported.

For event collection from Microsoft operating systems, JSA supports the following protocols:

  • Syslog (Intended for Snare, BalaBit, and other third-party Windows solutions)

  • Forwarded.

  • TLS Syslog.

  • TCP Multiline Syslog.

  • Microsoft Event Log (WMI). See Juniper Secure Analytics Vulnerability Manager User Guide.

  • Windows Event Log Custom (WMI). See Juniper Secure Analytics Vulnerability Manager User Guide.

  • MSRPC (Microsoft Security Event Log over MSRPC).

  • WinCollect. See the Juniper Secure Analytics WinCollect User Guide.

  • WinCollect NetApp Data ONTAP. See the Juniper Secure Analytics WinCollect User Guide.

  • Amazon Web Services protocol from AWS CloudWatch.

Ensure that you have an Azure storage account and an Azure event hub.

  1. Optional: Create a storage account.Note

    You must have a storage account to connect to an event hub.

  2. Optional: Create an event hub.

Installing the MSRPC Protocol on the JSA Console

You must install the MSRPC protocol RPM on the JSA console before events can be collected from a Windows host.

Ensure that you download the MSRPC protocol RPM from https://support.juniper.net/support/downloads/.

  1. Log in to the JSA console as a root user.
  2. Copy the MSRPC protocol RPM to a directory on the JSA console.
  3. Go to the directory where you copied the MSRPC protocol RPM by typing the following command:

    cd <path_to_directory>

  4. Install the MSRPC protocol RPM by typing the following command:

    yum –y install PROTOCOL-WindowsEventRPC-<version_number>.noarch.rpm

  5. From the Admin tab of the JSA console, select Advanced >Deploy Full Configuration.
  6. After you deploy the configuration, select Advanced >Restart Web Server.

MSRPC Parameters on Windows Hosts

To enable communication between your Windows host and JSA over MSRPC, configure the Remote Procedure Calls (RPC) settings on the Windows host for the Microsoft Remote Procedure Calls (MSRPC) protocol.

You must be a member of the administrators group to enable communication over MSRPC between your Windows host and the JSA appliance.

Based on performance tests on an JSA Event Processor 1628 appliance with 128 GB of RAM and 40 cores (Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80 GHz), a rate of 8500 events per second (eps) was achieved successfully, while simultaneously receiving and processing logs from other non-Windows systems. The log source limit is 500.

Specification

Value

Manufacturer

The operating system dependant type of the remote procedure protocol for collection of events.

Select one of the following options from the Protocol Type list:

  • MS-EVEN6 – The default protocol type for new log sources.

    The protocol type that is used by JSA to communicate with Windows Vista and Windows Server 2008 and later.

  • MS-EVEN (for Windows XP/2003) - The protocol type that is used by JSA to communicate with Windows XP and Windows Server 2003.

    Windows XP and Windows Server 2003 are not supported by Microsoft. The use of this option might not be successful.

  • auto-detect (for legacy configurations) – Previous log source configurations for the Microsoft Windows Security Event Log DSM use the auto-detect (for legacy configurations) protocol type.

    Upgrade to the MS_EVEN6 or the MS-EVEN (for Windows XP/2003) protocol type.

Supported versions

Windows Server 2016

Windows Server 2012 (most recent)

Windows Server 2012 Core

Windows Server 2008 (most recent)

Windows Server 2008 Core

Windows 10 (most recent)

Windows 8 (most recent)

Windows 7 (most recent)

Windows Vista (most recent)

Intended application

Agentless event collection for Windows operating systems that can support 100 EPS per log source.

Maximum number of supported log sources

500 MSRPC protocol log sources for each managed host (16xx or 18xx appliance)

Maximum overall EPS rate of MSRPC

8500 EPS for each managed host

Special features

Supports encrypted events by default.

Required permissions

The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured.

Windows XP and 2003 operating system users require read access to the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\services\eventl

  • HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Nls \Language

  • HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft Windows\CurrentVersion

Supported event types

Application

System

Security

DNS Server

File Replication

Directory Service logs

Windows service requirements

For Windows Server 2008 and Windows Vista, use the following services:

  • Remote Procedure Call (RPC)

  • RPC Endpoint Mapper

For Windows 2003, use the Remote Registry and Server.

Windows port requirements

Ensure that external firewalls between the Windows host and the JSA appliance are configured to allow incoming and outgoing TCP connections on the following ports:

For Windows Server 2008 and Windows Vista, use the following ports:

  • TCP port 135

  • TCP port that is dynamically allocated for RPC, above 49152

For Windows 2003, use the following ports:

  • TCP port 445

  • TCP port 139

Automatically discovered?

No

Includes identity?

Yes

Includes custom properties?

A security content pack with Windows custom event properties is available on https://support.juniper.net/support/downloads/.

Required RPM files

PROTOCOL-WindowsEventRPC-

JSA-version-Build_number.noarch.rpm

DSM-MicrosoftWindows-

JSA-version-Build_number.noarch.rpm

DSM-DSMCommon-

JSA-version-Build_number.noarch.rpm

More information

Microsoft support

Troubleshooting tool available

MSRPC test tool is part of the MSRPC protocol RPM. After installation of the MSRPC protocol RPM, the MSRPC test tool can be found in /opt/ qradar/jars

Microsoft Security Event Log over MSRPC log source parameters for Microsoft Windows Security Event Log

If JSA does not automatically detect the log source, add a Microsoft Windows Security Event Log log source on the JSA Console by using the Microsoft Security Event Log over MSRPC protocol.

When using the Microsoft Security Event Log over MSRPC protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Microsoft Security Event Log over MSRPC events from Microsoft Windows Security Event Log:

Table 1: Microsoft Security Event Log over MSRPC log source parameters for the Microsoft Windows Security Event Log DSM

Parameter

Value

Log Source type

Microsoft Windows Security Event Log

Protocol Configuration

Microsoft Security Event Log over MSRPC

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Microsoft Windows Security Event Log devices.

Diagnosing Connection Issues with the MSRPC Test Tool

Use the MSRPC test tool to check the connection between the JSAappliance and a Windows host.

Ensure that the PROTOCOL-WindowsEventRPC- <version_number> is installed on the JSA appliance.

The MSRPC test tool can be used for troubleshooting connection problems and to test the initial connection between the host and the JSA appliance to ensure that the host is configured properly. Table 1 describes the MSRPC test tool option flags.

Table 2: MSRPC Test Tool Flags

Flags

Description

-? or --help

Displays the help and usage information for the MSRPC tool.

-b

Displays debugging information, if available.

-d <domain>

Active Directory Domain, or hostname if in a workgroup.

-e <protocol>

EventLog Remoting protocol.

Values: MSEVEN, MSEVEN6, and AUTO

Default: AUTO

-h <hostname/ip>

Hostname or IP address of the Windows host.

-p <password>

Password

-u <username>

Username

-w <poll>

Polling mode. Specify one or more event log channels.

Values: Security, System, Application, DNS Server, File Replication Service, Directory Service

Separate multiple values by comma. Example: Application, Security.

Default: Security

  1. Log in to the JSA console.
  2. To use the MSRPC test tool, type the following command:

    cd /opt/qradar/jars

  3. To test for connection between the JSA and the Windows host, type the following command:

    java -jar Q1MSRPCTest.jar

  4. Optional: For more usage options, type java -jar Q1MSRPCTest.jar --help

WMI Parameters on Windows Hosts

To enable communication between your Windows host and JSA, you can use Windows Management Instrumentation (WMI).

You must be a member of the administrators group on the remote computer to configure WMI/DCOM Windows host and the JSA appliance.

The Microsoft Security Event Log protocol (WMI) is not recommended for event collection where more than 50 EPS is required or for servers over slow network connections, such as satellite or slow WAN networks. Network delays that are created by slow connections decrease the EPS throughput available to remote servers. Faster connections can use MSRPC as an alternative. If it is not possible to decrease your network round-trip delay time, we recommend that you use an agent, such as WinCollect.

Specification

Value

Manufacturer

Microsoft

DSM name

Windows Security Event Log

Supported versions

Windows Server 2016

Windows 2012 (most recent)

Windows Server 2012 Core

Windows Server 2008 (most recent)

Windows 10 (more recent)

Windows 8 (more recent)

Windows 7 (most recent)

Windows Vista (most recent)

Special features

Supports encrypted events by default.

Intended application

Agentless event collection for Windows operating systems over WMI that is capable of 50 EPS per log source.

Note: This is a legacy protocol. In most cases, new log sources should be configured by using the Microsoft Security Event Log over MSRPC protocol.

Special configuration instructions

Configuring DCOM and WMI to Remotely Retrieve Windows 7 Events (http://www.ibm.com/support/docview.wss?uid=swg21678809)

Configuring DCOM and WMI to Remotely Retrieve Windows 8 and Windows 2012 Events (http://www.ibm.com/support/docview.wss?uid=swg21681046)

Windows port requirements

You must ensure that external firewalls between the Windows host and the JSA appliance are configured to allow incoming and outgoing TCP connections on the following ports:

  • TCP port 135 (all operating system versions)

  • TCP port that is dynamically allocated above 49152 (required for Vista and above operating systems)

  • TCP port that is dynamically allocated above 1024 (required for Windows XP & 2003)

  • TCP port 445 (required for Windows XP & 2003)

  • TCP port 139 (required for Windows XP & 2003)

Windows service requirements

The following services must be configured to start automatically:

  • Remote Procedure Call (RPC)

  • Remote Procedure Call (RPC) Locator

  • RPC Endpoint Mapper

  • Remote Registry

  • Server

  • Windows Management Instrumentation

Log source permissions

The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured.

The log source user must have access to following components:

  • Window event log protocol DCOM components

  • Windows event log protocol name space

  • Appropriate access to the remote registry keys

Supported event types

Application

System

Security

DNS Server

File Replication

Directory Service logs

Automatically discovered?

No, manual log source creation is required

Includes identity?

Yes

Includes custom properties?

A security content pack with Windows custom event properties is available on IBM Fix Central.

Required RPM files

PROTOCOL-WinCollectWindowsEventLog-

JSA_release-Build_number.noarch.rpm

DSM-MicrosoftWindows-JSA_release-Build_number.noarch.rpm

DSM-DSMCommon-JSA_release-Build_number.noarch.rpm

More information

Microsoft support (support.microsoft.com/)

Troubleshooting tools available

Yes, a WMI test tool is available in /opt/qradar/jars.

Microsoft Security Event Log Log Source Parameters for Microsoft Windows Security Event Log

If JSA does not automatically detect the log source, add a Microsoft Windows Security Event Log log source on the JSA Console by using the Microsoft Security Event Log protocol.

When using the Microsoft Security Event Log protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Microsoft Security Event Log events from Microsoft Windows Security Event Log:

Table 3: Microsoft Security Event Log log source parameters for the Microsoft Windows Security Event Log DSM

Parameter

Value

Log Source type

Microsoft Windows Security Event Log

Protocol Configuration

Microsoft Security Event Log

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Microsoft Windows Security Event Log devices.

Domain

Type the domain of the Windows system.

Installing Winlogbeat and Logstash on a Windows Host

To retrieve Winlogbeat JSON formatted events in JSA, you must install Winlogbeat and Logstash on your Microsoft Windows host.

Ensure that you are using the Oracle Java Development Kit V8 for Windows x64 and later.

  1. Install Winlogbeat 7.7 by using the default values. For more information, see Getting Started With Winlongbeat.
  2. Start the Winlogbeat service.Note

    For Windows services, the service name is winlogbeat. After installation, the service is set to STOPPED, and then must be started for the first time. Any configuration changes beyond this point require a service restart.

  3. Optional. For more flexibility when you configure Winlogbeat, see Set up Winlongbeat.
  4. Install Logstash by downloading the package and saving it to a file location of your choice.
  5. To ensure that Winlogbeat communicates properly with JSA, see Configure Winlogbeat to use Logstash.

    The following basic sample configuration file can be used in the <logstash_install_directory>/config file.input { beats { port => 5044 } } output { tcp { host => ["172.16.199.22"] port => 514 mode => "client" codec => "json_lines" } stdout { codec => rubydebug } }

    Note

    If you are using rubydebug, debugging must be enabled in the logstash.yml file. Uncomment the line # log.level: info, and replace info with debug. Restarting the service is required after any configuration changes.

    Note

    The codec in output must be set to json_lines to ensure that each event is sent separately to JSA.

    Note

    If you want to send Kafka output to an existing Kafka server, see Configure the Kafka output.

  6. Ensure that Logstash is set up correctly by verifying that the config file for Logstash is working. Run the following command from the Logstash bin directory:

    logstash --config.test_and_exit -f <path to config file>

  7. Ensure that Winlogbeat is configured correctly.
    1. Verify that the config file is working by running the following command from the winlogbeat directory:

      ./winlogbeat test config

  8. Verify that Winlogbeat can access the Logstash server by running the following command from the winlogbeat directory:

    ./winlogbeat test output

    If the output of the ./winlogbeat test output command is successful, it might break any existing connection to Logstash. If the connection breaks, restart the Logstash service.

Microsoft Windows Security Event Log log source parameters

When you add a Microsoft Windows Security Event Log log source on the JSA Console by using the Syslog protocol, there are specific parameters you must use.

The following table describes the parameters that require specific values to collect Syslog events from Microsoft Windows Security Event Log:

Table 4: Microsoft Security Event Log Syslog Source Parameters for the Microsoft Windows Security Event Log DSM

Parameter

Value

Log Source type

Microsoft Windows Security Event Log

Protocol Configuration

Syslog

Log Source Identifier

The host ID of the logstash server.

Microsoft Windows Security Event Log Sample event message

Use these sample event messages to verify a successful integration with JSA.

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Microsoft Windows Security Event Log sample messages when you use WinCollect

The following sample has an event ID of 4624 that shows a successful login for the <account_name> user that has a source IP address of 10.0.0.1 and a destination IP of 10.0.0.2.

<13>May 08 10:45:44 microsoft.windows.test AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.9.108 Source=Microsoft-Windows- Security-Auditing Computer=microsoft.windows.test OriginatingComputer=10.0.0.2 User= Domain= EventID=4624 EventIDCode=4624 EventType=8 EventCategory=12544 RecordNumber=649155826 TimeGenerated=1588945541 TimeWritten=1588945541 Level=Log Always Keywords=Audit Success Task=SE_ADT_LOGON_LOGON Opcode=Info Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: account_name$ Account Domain: account_domain Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: account_domain\account_name Account Name: account_name Account Domain: domain_name Logon ID: 0x9A4D3C17 Linked Logon ID: 0x9A4D3CD6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: workstation_name Source Network Address: 10.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested

The following sample has an event ID of 4624 that shows a successful login for the <target_user_name> user that has a source IP address of 10.0.0.1.

<13>May 08 14:54:03 microsoft.windows.test AgentDevice=NetApp AgentLogFile=Security PluginVersion=7.2.9.108 Source=NetApp-Security-Auditing Computer=00000000-0000-000000005-000000000000/11111111-1111-1111-1111-111111111111 OriginatingComputer=00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111 User= Domain= EventID=4624 EventIDCode=4624 EventType=8 EventCategory=0 RecordNumber=6706 TimeGenerated=1588960308 TimeWritten=1588960308 Level=LogAlways Keywords=AuditSuccess Task=None Opcode=Info Message=IpAddress=10.0.0.1 IpPort=49155 TargetUserSID=S-0-0-00-00000000-0000000000-0000000000-0000 TargetUserName=target_user_name TargetUserIsLocal=false TargetDomainName=target_domain_name AuthenticationPackageName=NTLM_V2 LogonType=3 ObjectType=(null) HandleID=(null) ObjectName=(null) AccessList=(null) AccessMask=(null) DesiredAccess=(null) Attributes=(null)

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in Snare format

The following sample has an event ID of 4724 that shows that an attempt was made to reset an account's password, and that the attempt was made by the account name Administrator.

Note

The logs that you send to JSA must be tab-delimited. If you cut and paste the code from this sample, make sure that you press the tab key where indicated by the <tab> variables, then remove the variables.

<133>Aug 15 23:12:08 microsoft.windows.test MSWinEventLog<tab>1<tab>Security<tab>839<tab>Wed Aug 15 23:12:08 2012<tab>4724<tab>Microsoft-Windows-Security-Auditing<tab>user<tab>N/A<tab>Success Audit<tab>w2k8<tab>User Account Management<tab>An attempt was made to reset an account's password. Subject: Security ID: subject_security_id Account Name: Administrator Account Domain: DOMAIN Logon ID: 0x5cbdf Target Account: Security ID: target_security_id Account Name: target_account_name Account Domain: DOMAIN 355

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in LEEF format

The following sample has an event ID of 8194 that shows that the event generated a Volume Shadow Copy Service error that was initiated by the <user_name> user.

<131>Apr 04 10:03:18 microsoft.windows.test LEEF:1.0|Microsoft|Windows|2k8r2| 8194|devTime=2019-04-04T10:03:18GMT+02:00 devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=Error sev=2 resource=microsoft.windows.test usrName=domain_name \user_name application=Group Policy Registry message=domain_name\user_name: Application Group Policy Registry: [Error] The client-side extension could not apply computer policy settings for '00 - C - Domain - Baseline (Enforced) {00000000-0000-0000-0000-000000000000}' because it failed with error code '0x80070002 The system cannot find the file specified.' See trace file for more details. (EventID 8194)

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in CEF format

The following sample has an event ID of 7036 Service Stopped that shows that a service entered the stopped state.

CEF:0|Microsoft|Microsoft Windows||Service Control Manager:7036| Service entered the stopped state|Low| eventId=132 externalId=7036 categorySignificance=/Normal categoryBehavior=/Execute/Response categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/ Success categoryObject=/Host/Application/Service art=1358378879917 cat=System deviceSeverity=Information act=stopped rt=1358379018000 destinationServiceName=Portable Device Enumerator Service cs2=0 cs3=Service Control Manager cs2Label=EventlogCategory cs3Label=EventSource cs4Label=Reason or Error Code ahost=192.168.0.31 agt=192.168.0.31 agentZoneURI=/All Zones/ example System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 av=5.2.5.6395.0 atz=Country/City_Name aid=00000000000000000000000\\=\\= at=windowsfg dvchost=host.domain.test dtz=Country/City_Name _cefVer=0.1 ad.Key[0]=Portable Device Enumerator Service ad.Key[1]=stopped ad.User= ad.ComputerName=host.domain.test ad.DetectTime=2013-1-16 15:30:18 ad.EventS

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs by using Winlogbeat

The following sample has an event ID of System that shows that NtpClient was unable to set a manual peer to use as a time source.

{"@timestamp":"2017-02-13T01:54:07.745Z","beat": {"hostname":"microsoft.windows.test",

"name":"microsoft.windows.test"

,"version":"5.6.3"},"{"DomainPeer":"time

.windows.test,0x9","ErrorMessage":"No such host is known. (0x80072AF9)","RetryMinutes":"15"},"event_id":134,"level":"Warning","log_name":"System","was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.test,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)","opcode":"Info","process_id"

:996,"provider_guid":"

{00000000-0000-0000-0000-Windows-Time-

Service","thread_id":3312,"type":

"wineventlog","user": {"domain":"NT AUTHORITY","identifier":"user_identifier","name":"LOCAL SERVICE","type":"Well Known Group"}}

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs by using Azure Event Hubs

{"time":"2019-05-07T17:53:30.0648172Z","category"

:"WindowsEventLogsTable","level":"Informational

","{"DeploymentId":"00000000-0000-0000-0000-000000000000","Role"

:"IaaS","RoleInstance":"_role_

Windows-Security- Auditing","EventId":5061,"Level":0,"Pid":700,"Tid":1176,"Opcode":0,"Task":12290,"Channel