cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
btkarp
btkarp
Level 9
Report Inappropriate Content
Message 1 of 11
‎04-21-2015 09:01 AM

Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

Hello,

I am currently in the process of trying to perform Windows Log Collection in a large DHCP environment. The customer has stated that the environment is so large and that providing workstation hostnames would be impossible and unmanageable.

My main question is this: How do I perform log collection in a large DHCP Windows environment WITHOUT having to create a data source for each of the hosts I want to collect from?

The only deployment option that I feel is viable at this point is log collection from the Domain Controller and then collect AV logs from their solution (not ePO). Which they say is not ideal.

The agent/collector does not seem like a viable option anyways because while I could globally push the agent to each host, I would still need to create a data source for each host.

Any ideas are greatly appreciated because I am running out of ideas. Thanks.

0 Kudos
Reply
1 Solution

Accepted Solutions
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 6 of 11
‎04-22-2015 07:15 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

Regarding WEF: Not if you configure it like this right?

  1. Configure the Event Source systems to forward events to the WEF Event Collector.
  2. Install the Agent on the WEF Event Collector.
  3. Add a single host, and for Host Name/IP, add the Event Collector IP address.
  4. Create a Configuration. Select Windows Event Log and name the configuration.
  5. Select Forward Event in the Windows Event area.

    NOTE: WEF can forward to logs other than Forwarded Events. Forwarded Events is the default.

     6. At this point, you have two choices:

    1. Select WEF - if you require the granularity of a data source-per-Event-Source, check the WEF box.
    2. Do not select the WEF - if you have many Event Sources (for instance, Event Forwarding can be configured as part of a Domain group policy, and doing so can make it less obvious how many Event Sources are actually forwarding events), then having a data source for each Event Source might prove difficult. In this case, leave WEF deselected. This way, all events are collated under the Agent data source.
Reply
10 Replies
ksudki
ksudki
Level 10
Report Inappropriate Content
Message 2 of 11
‎04-22-2015 12:14 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

Hi ,

I do not have the exact answer to your question, but I will try to give some ideas in order to help you.

First, if the customer has ePO, you can deploy the McAffee SIEM Agent automatically to each workstations.

I currently do not know if it is possible to configure the agent's hostid parameter to reflect the workstation name through ePO.

Then you can use the autolearning feature with an automatic rule to add each of the datasources to your SIEM. For example, you can use such variable as HOST, IP, MODEL inside the name to reflect the same name you put in ePO.

Let me know if this helps

Regards

0 Kudos
Reply
Highlighted
btkarp
btkarp
Level 9
Report Inappropriate Content
Message 3 of 11
‎04-22-2015 06:58 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

Thank you for the response. Unfortunately, the customer does not use ePO. I wish they did though. However, I believe that the agent can be pushed to each host via other endpoint protection, it would just be a custom package that I would have to build.

You could you expand on your idea for using an automatic rule to add data sources? From my understanding, auto-learn capabilities were based on IP. Since this is a DHCP environment, I'm not sure we could rely on this option but I still like to hear your thoughts - maybe I am missing something.


Thanks again for the response.

0 Kudos
Reply
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 4 of 11
‎04-22-2015 04:45 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

One way to do this is windows event forwarding

https://kc.mcafee.com/corporate/index?page=content&id=KB77092&actp=LIST

Other ways could be Windows ACS or SCOM.

Reply
btkarp
btkarp
Level 9
Report Inappropriate Content
Message 5 of 11
‎04-22-2015 07:02 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

Robert,

We have looked into WEF - However, this requires us to create a data source for each host we want to collect from (which is something the customer is unwilling/unable to provide.

I have not investigated ACS or SCOM - I will start researching now. Thanks for the suggestions.

0 Kudos
Reply
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 6 of 11
‎04-22-2015 07:15 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

Regarding WEF: Not if you configure it like this right?

  1. Configure the Event Source systems to forward events to the WEF Event Collector.
  2. Install the Agent on the WEF Event Collector.
  3. Add a single host, and for Host Name/IP, add the Event Collector IP address.
  4. Create a Configuration. Select Windows Event Log and name the configuration.
  5. Select Forward Event in the Windows Event area.

    NOTE: WEF can forward to logs other than Forwarded Events. Forwarded Events is the default.

     6. At this point, you have two choices:

    1. Select WEF - if you require the granularity of a data source-per-Event-Source, check the WEF box.
    2. Do not select the WEF - if you have many Event Sources (for instance, Event Forwarding can be configured as part of a Domain group policy, and doing so can make it less obvious how many Event Sources are actually forwarding events), then having a data source for each Event Source might prove difficult. In this case, leave WEF deselected. This way, all events are collated under the Agent data source.
Reply
btkarp
btkarp
Level 9
Report Inappropriate Content
Message 7 of 11
‎04-23-2015 05:42 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

Robert,

Now you got me cooking with fire. I have opened a ticket with Support to further discuss this option. My previous support ticket into this type of log collection did not detail this type of collection. This might be the perfect option.

Thank you for response! I will update this thread with further details in case future engineer run into this dilemma! Cheers!

0 Kudos
Reply
btkarp
btkarp
Level 9
Report Inappropriate Content
Message 8 of 11
‎04-23-2015 07:09 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

can you please link me to the document in which you found the above information? I would like to look over it. Thanks.

0 Kudos
Reply
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 9 of 11
‎04-23-2015 07:11 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

Check the KB I mentioned earlier in this thread

https://kc.mcafee.com/corporate/index?page=content&id=KB77092&actp=LIST

Reply
cblack1
cblack1
Level 7
Report Inappropriate Content
Message 10 of 11
‎04-23-2015 10:25 AM

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Jump to solution

WEF is probably your best bet if you must collect from workstations or very large windows server environments. It's how Microsoft is doing windows log collection.

So there's that...

However, workstation logs typically provide very little useful information beyond local login attempts. What is the customer trying to achieve?

Will the customer allow you to connect to AD from ESM? You could use the asset import function to get a list of all domain-registered computer names, then use that for your event sources.

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator