I have to receive logs of a windows server (windows server 2008) hosted application on SIEM. I used windows collector version 11 (latest), configured collector using generic log tail method. I given the path of directory & file name in the collector but I am unable to get any log on SIEM receiver. I tested on the collector on different server and different SIEM receiver also, but could not get any log on receiver. All firewall policies are applied, collector is in connected & running state. When I use tcpdump tool to see communication of collector and receiver I see output of only synchronization between them , no logs being sent on receiver. What may be possible cause of problem, please help.
Discussion successfully moved from Community Support to Security Information and Event Management (SIEM) > Discussions
For better exposure and assistance.
I've found the SIEM collector utility to be extremely finicky and difficult to work with. What kind of logs are you trying to send to the receiver? Do you have a source configured on the other end to receive these logs? If you can provide some screenshots I could help further, I spent a lot of time configuring the SIEM collector application.
I've had similar issues with the 11.x version of the collector. I have a situation right now where I can get logs from the machine the collector is installed on, but as soon as I turn on encryption communications fails. Here's the debug from it when it happens:
<131> Mar 07 15:10:03 localhost SIEMCollector ERROR 0 MEFConnection::TestConnection MEFOpen failed to connect due to: A Schannel call failed (rv = 0x80090331, err = 1) <@ line #203>
<131> Mar 07 15:10:30 System SIEMCollector ERROR -1 ServiceMain ============ The Service has crashed, and is now restarting. ============
<131> Mar 07 15:10:30 localhost SIEMCollector ERROR 0 MEFConnection::TestConnection MEFOpen failed to connect due to: A Schannel call failed (rv = 0x80090331, err = 1) <@ line #203>
Is the port 8082 allowed on the firewall? Also encryption option is enabled/disabled accordingly on the data source setting as well, they would need to match on both end.
We use port 8081, and yes, there's a firewall exception in place. I am receiving logs in the SIEM from the server in question - it's when I enable SSL encryption (on both ends) that I lose communication. I would add that I currently have about 30 servers in the same DMZ using 8081 and SSL to connect to the SIEM and they're all working fine. However, they have the older version SIEM collector, not version 11.
C:\Program Files (x86)\McAfee\Windows Event Collector\debug.log to see what happens with your parsing and events.
Also make sure you disable encryption until you make it work.
On the ERC look inside /var/log/data/inline/thirdparty.logs/NUMBER/in
where NUMBER is the id of your data source which you can get by running the tq inside the command line interface
Here's a background of our situation and steps that have been taken so far:
We currently use McAfee ePO to deploy the SIEM collector and SIEM collector policy to all wmi devices.
In the past we didn't have the SIEM collector policy in ePO set to generate Host IDs on the clients and we were setting the Host ID on the data source in SIEM to be the FQDN. We were also setting the IP address on the data source in SIEM to match that of the wired connection on the wmi device. Therefore, we found that the SIEM collector on the wmi devices didn't have anything populated for the Host ID. Some devices were reporting, but most were not or hadn't in a very long time. I opened a support ticket with McAfee around this issue and was guided to configure the SIEM collector policy in ePO to generate Host IDs and modify all SIEM data sources to match the generated Host IDs. I also worked with support on a solution to alleviate the need for adding the IP address on the data source. We were able to accomplish this by adding in our network host IP address ranges to the receiver interface communication configuration.
In making the changes listed above, we were able to cut the number of non-current reporting devices in half. However, I have been struggling to get the remaining devices to where they are reporting current events. I have found that in most cases remoting into the devices, logging in, opening the SIEM Collector and bouncing the service will accomplish this task. However, given the extreme number of device that are still not reporting, this would take a major effort and planning. Given that folks are using this devices throughout the day during normal business hours.
I have attempted writing a script to stop and start the SIEM collector services on the wmi devices remotely via our patch management system with some success, but not as much as I had hoped. I have also tried tagging the systems in ePO, causing them to run tasks that I created to uninstall SIEM collector, reinstall SIEM collector and remove the tag. This too has had limited success.
I have noticed that some of the devices that are not reporting, look to be devices that may not get logged into often. However, this is not the case for all of the non-reporting devices. Some are devices that were freshly setup and never started reporting at all.
Most of the time it takes me logging in and bouncing the service to correct the issue. Just looking for a better solution.
I have deployed the 11 Siem Collector version throw ePO too. I had installed the previous version on the server and it was properly sending the logs to the SIEM, but I don´t receive any log now with the new version.
Do you know if it is necesary to make any configuration change?
I didn´t include any command on the deploy task, could be the problem here?
Thanks in advance.