I am using NATIVE Windows Event Forwarding: http://technet.microsoft.com/en-us/library/cc748890.aspx . Specifically "source initiated" event fowarding.
- All windows clients on the network - through native facilites - send their Application, System, Security, and AD log events to a centralized microsoft windows event collector (windows server 2008 r2 with a lot of hdd & a very large event log policy)
- When a new workstation or server is built & joined to the domain - it begins sending its event logs to the windows event collector.
- Depending on what location the asset has been provisioned, this can be 1 of 5 windows event collector servers.
- Any given windows event collector server can have up to ~200 subscribers (workstiaotns/servers) reporting events to it.
Native Windows Event Forwarding & Collection works flawlessly.
- I are able to capture windows event logs from all endpoints
- I do not have to have visibility to into the deployment / provisioning of servers in the enterprise.
- All events are reported captured within 30 seconds of realtime.
On the Windows Event Collector I have installed the Mcaffee SIEM Collector Utility.
Using the instructions located here: McAfee KnowledgeBase - How to use Windows Event Forwarding (WEF) with the Windows Agent - I have configured the agent to send all events from the "Forwarded Events" log to the SIEM Event Reciever.
This is where things break down.
On step 7 - I have configured a data source on in the reciever of the Windows Event Collector.
There is a loss in fidelity of the events sent to the reciever.
An event that happens on (domaincontroller) is sent to the Windows Event Collector with (domaincontroller) as the source of the Event.
When the event is sent to the SIEM - the "source IP" is that of the Windows Event Collector and the "host" is (domaincontroller).
Clearly this is undesirable. I'm unable to search / coorelate events & flows for the Domain Contorller because the IP of the source of the event in the SIEM is that of the Event Collector and not the true originating IP of (domaincontroller).
Could some one please provide clarity to Step 6. It seems like I'd have to install the agent on to every endpoint, configure them individually to send to the agent installed on the Event Collector, and then create data sources for every endpoint in the SIEM Security Manager... That seems to completlely subvert the entire idea of native Windows Event Forwarding & Collection.
I have no visibility into the build out of new servers / workstations / endpoints in the windows environment. Today it could be 2, tomorrow 20.
I dont understand how to configure the WEF forwarding option on the SIEM Event Collector Utility to preserve the orgininating IP of the event.
Are there any datasource types I can configure that will parse the events from the Windows Event Collector properly (preserving source IP of the orginating event)?
How are you ensuring that ALL your data sources are added to the SIEM if you have limited visibility into the production / operations environment. So if the helpdesk builds out 10 new workstations and a file server for a branch office --- how are you ensuring those assets are automatically added to the SIEM as datasources?