Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Configuring a Windows Data Source

SIEM Foundations: Configuring a Windows Data Source


Creating a Windows Data Source Profile

The McAfee SIEM provides a facility to store commonly used profiles for such attributes as Windows Account Credentials and data storage mount parameters (CIFS, NFS, etc.). This allows the SIEM administrator to enter the required profile information in a central location which is later referenced by the SIEM when necessary.

One of the most useful profiles to configure is that of a Windows Data Source. The Windows profile stores the credentials and log collection details that can later be used when defining a Windows (WMI) data source in the Event Receiver. By using a profile during the creation of a Windows data source, the SIEM operator need not enter the credentials but instead, assigns the attributes of the profile to the data source. This also allows for the credentials to be maintained in a central location and any modifications to the username/password can be made once within the profile and all data sources making reference to the profile will automatically utilize the modified values.

To create a Windows Data Source Profile:

  1. Click the System Properties icon from the Quick Launch menu in the upper right of the interface.
  2. Click Profile Management.
  3. Click the Add button. The Add System Profile window will open.
  4. From the Profile Type dropdown menu, select Data Source.
  5. From the Profile Agent dropdown menu select Windows.
  6. Enter a Profile Name.
  7. Enter a Username. This can be a local account or domain account credentials.
  8. Enter a Password.
  9. In the Event Logs field, enter SYSTEM,SECURITY,APPLICATION.
    System-Properties---Add-System-Profile circle.png
  10. Click OK. Close the System Properties window.

Configuring a Windows Data Source

There are several methods that can be used to add a Data Source to an Event Receiver for collection – One at a time from the Action Toolbar, Multiple sources from the Data Source section of the Event Receiver Properties window, Bulk creation via CSV file import and Auto Learn.

The following steps will describe the simplest way to add a single Data Source to a Receiver to begin event and log collection – One at a time from the Action Toolbar.

  1. From the System Tree, select the Event Receiver on which you will be configuring the Windows Data Source.
  2. Click the Add Data Source button from the Action Toolbar located in the upper left of the interface. The Add Data Source window will open.
  3. To use the Windows Data Source Profile created in the previous section, place a check mark in the Use System Profiles option box. The Add Data Source window will populate the Data Source Vendor (Microsoft), Data Source Model (WMI Event Log), Username, Password and Event Log details defined in the Profile.

    To define a Windows Data Source without using a profile:
    1. From the Data Source Vendor dropdown menu, select Microsoft.
    2. From the Data Source Model dropdown menu, select WMI Event Log.
    3. Enter a Username with sufficient privileges to connect to the Windows host and retrieve the WMI logs.
    4. Enter the Password.
    5. In the Event Logs field, enter SYSTEM,SECURITY,APPLICATION.
  4. Enter a Name to be used for this Data Source.
  5. Enter the IP Address for the Windows host.
    NOTE: For Windows hosts that acquire an IP address from DHCP, this field can be left blank. The SIEM will perform a DNS lookup using the hostname to obtain the current IP address at each polling interval.
  6. Enter the NETBIOS Name assigned to the Windows host.
    Example: If the DNS name is, the NETBIOS name will likely be just hostname.
  7. Click the Connect button to test the connection to the Windows Data Source.
  8. If the connection attempt is successful, a dialog box will open indicating that the Windows Data Source configuration is correctly configured to support event collection from the Windows host AND that the credentials provided are sufficient to retrieve the defined WMI logs.
    If the connection attempt fails, a dialog box will open to provide details that can be used to troubleshoot the connection. Common connection problems include incorrect IP Address or NETBIOS name, improper user credentials or insufficient user privilege necessary to retrieve the defined WMI log source. Correct any errors and re-test the WMI connection until the response is successful.
  9. Once the WMI Connection Test is successful, click OK. The Apply Data Source Settings dialog box will open.
  10. Click Yes to apply the Windows Data Source configuration to the Event Receiver.
  11. Once the Windows Data Source has been written to the Event Receiver, a dialog box will open to confirm. Click Close.
  12. Since a new event collection source has been configured on the Event Receiver, the policy must be rolled out to support the event formats associated with the Windows Data Source. The Rollout Policy window will open listing the Data Sources defined on the Event Receiver that must be applied for event collection to begin.
    NOTE: Some Data Sources in the list may read ‘Skip – This policy is up to date’ while others, like the Windows Data Source recently added, will read ‘Roll this policy out now.’ The SIEM is intelligent enough to know which Data Source policies are new or recently modified and must be rolled out and will skip those policies that are current.
  13. Click OK to rollout policy to the Event Receiver Data Sources.

« previousoutlinenext »


Hi Scott,

Nice article thank you for that. I am very new to McAfee SIEM, actually McAfee products in general.

In my new role I have been tasked with adding workstations (PC's and Laptops) into SIEM so that we can extract windows logs from these machines. The problem I have is that all the PC's

and Laptops use DHCP and I am concerned when I add them into SIEM they may have issues in future if the IP address changes, I followed your document and tried to only enter the

hostname as opposed to the IP address, but the dialog will not let me proceed without an IP address. I am using SIEM version 9.3.0, has this been changed in new versions do you know?, do I need

to upgrade to a new version?

Any help you an offer would be most appreciated,



Brisbane Australia


Yes, under the current version you can add windows data sources with just a name, and no IP address, which addresses the concern.  If I recall correctly this happened around the 9.4 release.

Be careful with the Windows workstation logs.  You don't want to overwhelm your Receiver with too many data sources.  Most customers are able to get the useful Windows logs they need from the Domain Controllers. Be sure you need the workstation logs before you embark on this...understand what value they are going to deliver to you.  Then be aware that there is a max limit of 2000 parent data sources on a single receiver.  If you have more workstations than that, you'll want to explore using client data sources.



Thanks Scott, that confirms what I thought in relation to adding windows data sources and having to use the IP address as I am using an older version. I assume with our current version of

9.3 and that I have to add these PC's by IP address that when the DHCP lease expires these will become inactive in SIEM and I will need to amend manually once again? By the way what is the current version?

Understood with overloading the Reciever, that's good to know. My requirement is to capture log-on, log-off, locking and unlocking for all PC's in the domain. I would estimate we have about 260 PC's to

add into SIEM to achieve this. From what you have said it sounds like we should be ok to not overload the Reciever?

Appreciate your feedback.

Thanks again


Brisbane Australia


I'm not entirely sure how it will work if you add the data sources now under 9.3, and then upgrade to 9.4.2.  You may be able to

a) export the data source definitions for the 260 PCs

b) Make the necessary modifications manually

c) Bulk import the changes.

Yes, 260 devices is well within the upper limit of the number of parent data sources on a single Receiver.  I'd encourage you to ramp up sure you're not overwhelming the capacity of your Receiver when it comes to raw events/sec.


Sounds like the best option is to upgrade to the latest version first as I have only just started adding workstations. I also hit an issue yesterday with not being able to add Windows Server 2012 RD windows

data sources as it's not supported. I assume the latest version will resolve this issue for us as well.

Can you please point me in the right direction for upgrading to the latest version. Hopefully it's a simple process.

Thanks Scott



Your best resource for upgrade is always the release notes.  Download the 9.4.2 upgrader from the download site, and you'll find the release notes there as well.  We have a walkthrough of the upgrade process in the SIEM Foundations:


Wonderful thanks Scott. I will look to get the latest version installed to fix the issues we have discussed.

Saved me some time.

Have a good one



Hi Scott,

We last talked back in November 2014. I have now managed to upgrade SIEM to the 9.4.2 version after our last discussion above.

When I now attempt to add a windows data source only using the hostname and not IP address, I now get this error message:

"WMI Event Log Test connection unsuccessful. DNS lookup failed for PC-10062NotOk Incorrect parameters supplied.

I have made sure the 2 DNS servers for my network are added under the network settings.

Any idea's how I can overcome this?

Thanks again Scott.

Kind Regards,


Version history
Revision #:
1 of 1
Last update:
‎08-10-2014 09:07 PM
Updated by: