McAfee SIEM - How to Add a Windows Data Source to your SIEM

Version 1


    Overview

     

    In this document, you will see how to add Windows log as a data source in your McAfee SIEM so you can start receiving events from your windows servers.

     

    The component responsible of gathering events, logs and flows is called the event receiver, which we will call receiver for short from now on. The receiver can run on the same box as the ESM component, as it is the case for some of the SIEM combo appliances, or it can run on its own dedicated virtual or hardware appliance. You can have multiple receivers, depending on your needs.

     

    The product that the receiver is receiving or collecting data from is called the data source.

     

    Video

     

    You can also watch the steps described in this document by viewing the video below.

     

     

    Procedure

     

    Adding the data source

     

    To add a data source, in the system Tree, on the left of the console, expand your Local ESM by clicking the plus sign next to it and Click on your Event Receiver.

     

    Then, click the Add Data Source button in the top left corner of the console.

     

    image001.png

     

    The Add Data Source Dialog opens.

     

        • For Data Source Vendor, chose Microsoft.

     

        • For the Data Source Model, the options available to you will vary depending on the vendor you picked for the Data Source vendor. In our case, we picked Microsoft, so we are presented with Microsoft related options. Here, we are going to pick WMI Event Log.

     

        • Leave the Data Format and Data Retrieval to Default

     

        • Now we have the option to check a “parsing” and a “logging” checkboxes. “Parsing” means that the logs will be parsed and inserted into the ESM database. “Logging” means the logs will be sent, raw and unparsed, to the event log manager component. The options you chose depend on your specific needs. In our particular case, we are going to leave parsing checked.

     

        • Provide a Name: This is how this data source will appear in the SIEM system tree. You can pick any name you want.

     

        • Enter the IP address of your windows server. If you are using DHCP for your Windows system, starting at version 9.4, you don’t need to enter an IP address. You can only enter the host name in the next box. If you are using a version prior to 9.4, you will have to enter the name of the server in the field labeled “Netbios name”. That field name changed to “host name” in 9.4.

     

        • Enter the host name of your Windows server.

     

        • Fill in the username and password of the administrator account.

     

        • Under Event Logs: APPLICATION, SYSTEM, SECURITY – By default, the Receiver will collect security, administration and event logs. You have the ability to enter other log files, such as Directory Service or Exchange if your Windows server is running those services. The event log data gets collected in the packet data and can be viewed through the event table details. If you enter additional logs, make sure there are no spaces between the log names.

     

        • The next setting, Interval, determinates how often the Receiver will check windows logs for new events. Generally, 10 minutes is a good rule of thumb for windows servers.

     

        • Click Connect to test your credentials.

     

    image002.png

     

    A test connection successful message appears. Click Close. Then Click OK to close the Add Data Source window.

     

    image003.png

     

    The Apply Data Source Settings pop up appears. Click yes so your receiver is updated with the new windows WMI log data source you just created.

     

    image004.png

     

    An update is successful pop-up appears when the update has been successfully applied. Click Close.

     

    image005.png

     

    The Policy Rollout screen automatically opens. This is to ensure that policies are immediately rolled out to the new data source that you created. And you can see that the data source you have just added is listed.

     

    You don’t need to check the Roll out policy check box, since clicking on OK will initiate an immediate rollout. You’ll also notice that the roll out is skipped if the policies are already up to date on the device.

     

    Click OK.

     

    The window will close by itself.

     

    image006.png

     

    Now, if we look in the system tree, we can see that our data source has been added under the receiver.

     

    image007.png

     

    Receiving events

     

    Now let’s see if we are getting events. To see the events specifically coming from our new windows data source, just select it in the system tree. It might take a while since we configured our receiver to pull event every 10 minutes from our windows server, and then it takes another 10 minutes for the ESM to pull the events from the receiver. But we can accelerate that last step by asking the ESM to pull those events from the receiver right now.

     

    To do that, click on the “Get Events and Flows” icon in the top left corner of the console.

     

    image008.png

     

    The Get Events and Flows window opens. Click Start. The ESM will start downloading events.

     

    image009.png

     

    When it’s done, it will tell how many events were downloaded. Click Close.

     

    image010.png

     

    Click the refresh icon in the top middle of the SIEM console.

     

    image011.png

     

    You can now see windows events in the console.

     

    image012.png

     

    Using system profiles

     

    One last tip. If you have a lot of windows servers, you may not want to have to enter the same data source information and credentials over and over again. For those cases, you can create a system profile that will pre-populate the common fields for you.

     

    To create and use a system profile, Click the gold System Properties icon in the top right corner of the console.

     

    image013.png

     

    The System Properties dialog opens.

     

    image014.png

     

    Click Profile Management.

     

    Click on Add.

     

    image015.png

     

    The Add System Profile window opens.

     

        • For profile type, select Data Source. The available settings will change according to your choice.

     

        • For profile agent, select Windows.

     

        • Enter an arbitrary profile name.

     

        • Enter the administrator account and password.

     

        • Enter the event log you want to collect. Here, we are going to enter system, information and security. Comma separated with no space.

     

    Click OK.

     

    image016.png

     

    In the system Profile window, you can see that the new profile has been created.

     

    image017.png

     

    Now, let’s see how to use this profile when adding a second window s server as a data source.

     

    Select your receiver in the system tree again.

     

    Click the add data source icon in the top right corner of the console.

     

    image018.png

     

    The add data source window opens.

     

    Check "Use System Profile"

     

    Notice that all common fields are automatically populated with the information we entered in the profile. All you need to do is a name of your choice, the IP address and host name of the new windows server, and you are done. Click Connect to verify connectivity.

     

    image019.png

     

      • The same process as when we added our first Windows server now takes place. A test connection successful message appears. Click Close. Then Click OK to close the Add Data Source window.

     

      • The Apply Data Source Settings pop up appears. Click yes so your receiver is updated with the new windows WMI log data source you just created.

     

      • An update is successful pop-up appears when the update hasbeen successfully applied. Click close.

     

      • The Policy Rollout screen opens. Click OK. The window will close by itself.

     

      • And in the system tree, you can see that your new datasource has been added too.

     

    image020.png

     

    Conclusion

     

    You’ve just seen how to add a Windows data source manually. We used WMI to achieve that. But for larger deployments, other methods are available, such as bulk import from a cvs formatted file, auto-learning via the McAfee SIEM collector, importing via the asset manager, or using third party clients such as Snare to pull your Windows logs to your SIEM.

     

    Useful Links

     

    For more information about the McAfee SIEM, visit:

     

    McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

     

    McAfee SIEM Community: https://community.mcafee.com/community/business/siem

     

    McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales