I am using NATIVE Windows Event Forwarding: http://technet.microsoft.com/en-us/library/cc748890.aspx . Specifically "source initiated" event fowarding.
Native Windows Event Forwarding & Collection works flawlessly.
On the Windows Event Collector I have installed the Mcaffee SIEM Collector Utility.
Using the instructions located here: McAfee KnowledgeBase - How to use Windows Event Forwarding (WEF) with the Windows Agent - I have configured the agent to send all events from the "Forwarded Events" log to the SIEM Event Reciever.
This is where things break down.
On step 7 - I have configured a data source on in the reciever of the Windows Event Collector.
There is a loss in fidelity of the events sent to the reciever.
An event that happens on (domaincontroller) is sent to the Windows Event Collector with (domaincontroller) as the source of the Event.
When the event is sent to the SIEM - the "source IP" is that of the Windows Event Collector and the "host" is (domaincontroller).
Clearly this is undesirable. I'm unable to search / coorelate events & flows for the Domain Contorller because the IP of the source of the event in the SIEM is that of the Event Collector and not the true originating IP of (domaincontroller).
Could some one please provide clarity to Step 6. It seems like I'd have to install the agent on to every endpoint, configure them individually to send to the agent installed on the Event Collector, and then create data sources for every endpoint in the SIEM Security Manager... That seems to completlely subvert the entire idea of native Windows Event Forwarding & Collection.
I have no visibility into the build out of new servers / workstations / endpoints in the windows environment. Today it could be 2, tomorrow 20.
I dont understand how to configure the WEF forwarding option on the SIEM Event Collector Utility to preserve the orgininating IP of the event.
Are there any datasource types I can configure that will parse the events from the Windows Event Collector properly (preserving source IP of the orginating event)?
How are you ensuring that ALL your data sources are added to the SIEM if you have limited visibility into the production / operations environment. So if the helpdesk builds out 10 new workstations and a file server for a branch office --- how are you ensuring those assets are automatically added to the SIEM as datasources?
When forwarding events from the domain controller using the McAfee Windows Event Collector, it only has 2 ways of differentiating events coming from the collector.
the first is the IP address where the agent is forwarding logs from, the 2nd, is the log configuration field host id (only visible if MEF 6 displays in the bottom left corner).
If the logs are all sent from the endpoints to the DC, and the DC places all the logs in the forwarded logs folder, then there will be minimal information available to differentiate where the logs come from, and the ESM will place the data source IP if no IP is parsed out of the log, which for application logs, typically it is not specified, and is extremely undesirable.
If you guys are using ePO, you can use ePO to deploy a configuration to the endpoints, and configure auto-learning for MEF port 8081 on the receiver, and this will allow you to deploy the collector to your endpoints, retain visibility, minimal overhead for deployment, and new servers should get policy assigned via ePO to receive an agent.
Just my thoughts on how I would handle this. automate deployment through ePO and enable auto-learning of MEF data sources on the receiver.
I ran in to this same issue when I was testing using WEF a while ago. I briefly spoke to McAfee about the Source IP/Host name problem, but as Ryan mentions above, the WEF events do not have the original source IP only the hostname so there does seem to be much that McAfee could do to rectify.
What my plans are:
- Windows Servers - is to use WMI for our server environment approx. 4000 servers - and somehow get across the server commissioning and decommissioning process and somehow automate/script the ESM side of things - I realise that it is going to be impossible to be collecting from 100% of our servers with this method.
- Windows Workstations - current plan is to use WEF, we have 15000-20000 workstations (physical and VDI) that I need to pull events from, the best way to manage this (from my point of view in our environment) is to use WEF. Understanding that there is the Source IP/Host name problem.
I would also like to know how yours worked out. I attempted the same configuration, but have not been hugely successful, as my collector keeps crashing out and stops forwarding events from the clients.
Feature request: ESM should be able to differentiate events from different hostnames but sent from the same IP.
I was able to workaround this issue by using NXlog (Community edition) as McAfee agent is not able (again) to do it correctly. Here is the required configuration
1. On the event collector machine install NXlog community edition.
2. Create/replace the configuration file by the following (need to replace the <MCAFEE_EVENT_RECEIVER> by your receiver name/ip):
define ROOT C:\Program Files (x86)\nxlog
Query <QueryList><Query Id="0" Path="ForwardedEvents"><Select Path="ForwardedEvents">*</Select></Query></QueryList>
Path in => out
3. On the ESM, create a new data source as follow:
Apply, and you should be good.
ksudki, that's awesome!
But does that mean you need to create a custom syslog parser for every Windows event you want to track and correlate on?
You do not need to create a custom parser.
The only thing you should be careful with is event logging with Source_ip=127.0.0.1 where you will have to look on the Host field to know which host generated the event.
I would not recommend this, but you can probably change the initial event based on some criterias (e.g regex) to adapt some of the field. I cannot guarantee that this will work as expected afterwards.
It can be interesting if you can share your feedback if you are going in this direction
I am researching the same thing, but have noted from these McAfee youtube and KB mentions the important of setting the Syslog Relay for the event to show the IP addresses of the hosts instead of the syslog server.