Hello,
I am currently in the process of trying to perform Windows Log Collection in a large DHCP environment. The customer has stated that the environment is so large and that providing workstation hostnames would be impossible and unmanageable.
My main question is this: How do I perform log collection in a large DHCP Windows environment WITHOUT having to create a data source for each of the hosts I want to collect from?
The only deployment option that I feel is viable at this point is log collection from the Domain Controller and then collect AV logs from their solution (not ePO). Which they say is not ideal.
The agent/collector does not seem like a viable option anyways because while I could globally push the agent to each host, I would still need to create a data source for each host.
Any ideas are greatly appreciated because I am running out of ideas. Thanks.
Solved! Go to Solution.
Regarding WEF: Not if you configure it like this right?
6. At this point, you have two choices:
I do not have the exact answer to your question, but I will try to give some ideas in order to help you.
First, if the customer has ePO, you can deploy the McAffee SIEM Agent automatically to each workstations.
I currently do not know if it is possible to configure the agent's hostid parameter to reflect the workstation name through ePO.
Then you can use the autolearning feature with an automatic rule to add each of the datasources to your SIEM. For example, you can use such variable as HOST, IP, MODEL inside the name to reflect the same name you put in ePO.
Let me know if this helps
Regards
Thank you for the response. Unfortunately, the customer does not use ePO. I wish they did though. However, I believe that the agent can be pushed to each host via other endpoint protection, it would just be a custom package that I would have to build.
You could you expand on your idea for using an automatic rule to add data sources? From my understanding, auto-learn capabilities were based on IP. Since this is a DHCP environment, I'm not sure we could rely on this option but I still like to hear your thoughts - maybe I am missing something.
Thanks again for the response.
One way to do this is windows event forwarding
https://kc.mcafee.com/corporate/index?page=content&id=KB77092&actp=LIST
Other ways could be Windows ACS or SCOM.
Robert,
We have looked into WEF - However, this requires us to create a data source for each host we want to collect from (which is something the customer is unwilling/unable to provide.
I have not investigated ACS or SCOM - I will start researching now. Thanks for the suggestions.
Regarding WEF: Not if you configure it like this right?
6. At this point, you have two choices:
Robert,
Now you got me cooking with fire. I have opened a ticket with Support to further discuss this option. My previous support ticket into this type of log collection did not detail this type of collection. This might be the perfect option.
Thank you for response! I will update this thread with further details in case future engineer run into this dilemma! Cheers!
Check the KB I mentioned earlier in this thread
https://kc.mcafee.com/corporate/index?page=content&id=KB77092&actp=LIST
WEF is probably your best bet if you must collect from workstations or very large windows server environments. It's how Microsoft is doing windows log collection.
So there's that...
However, workstation logs typically provide very little useful information beyond local login attempts. What is the customer trying to achieve?
Will the customer allow you to connect to AD from ESM? You could use the asset import function to get a list of all domain-registered computer names, then use that for your event sources.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA