8 Replies Latest reply on Mar 12, 2017 1:00 PM by raph_m1k

    Native Windows Event Forwarding - How to?

    lboogy

      I am using NATIVE Windows Event Forwarding: http://technet.microsoft.com/en-us/library/cc748890.aspx . Specifically "source initiated" event fowarding.

       

      • All windows clients on the network - through native facilites - send their Application, System, Security, and AD log events to a centralized microsoft windows event collector (windows server 2008 r2 with a lot of hdd & a very large event log policy)
      • When a new workstation or server is built & joined to the domain - it begins sending its event logs to the windows event collector.
      • Depending on what location the asset has been provisioned, this can be 1 of 5 windows event collector servers.
      • Any given windows event collector server can have up to ~200 subscribers (workstiaotns/servers) reporting events to it.

       

      Native Windows Event Forwarding & Collection works flawlessly.

       

      1. I are able to capture windows event logs from all endpoints
      2. I do not have to have visibility to into the deployment / provisioning of servers in the enterprise.
      3. All events are reported captured within 30 seconds of realtime.

       

      On the Windows Event Collector I have installed the Mcaffee SIEM Collector Utility.

       

      Using the instructions located here: McAfee KnowledgeBase - How to use Windows Event Forwarding (WEF) with the Windows Agent - I have configured the agent to send all events from the "Forwarded Events" log to the SIEM Event Reciever.

       

      This is where things break down.

       

      On step 7 - I have configured a data source on in the reciever of the Windows Event Collector.

       

      There is a loss in fidelity of the events sent to the reciever.

       

      An event that happens on (domaincontroller) is sent to the Windows Event Collector with (domaincontroller) as the source of the Event.

      When the event is sent to the SIEM - the "source IP" is that of the Windows Event Collector and the "host" is (domaincontroller).

       

      Clearly this is undesirable. I'm unable to search / coorelate events & flows for the Domain Contorller because the IP of the source of the event in the SIEM is that of the Event Collector and not the true originating IP of (domaincontroller).

       

      Could some one please provide clarity to Step 6. It seems like I'd have to install the agent on to every endpoint, configure them individually to send to the agent installed on the Event Collector, and then create data sources for every endpoint in the SIEM Security Manager... That seems to completlely subvert the entire idea of native Windows Event Forwarding & Collection.

       

       

      I have no visibility into the build out of new servers / workstations / endpoints in the windows environment. Today it could be 2, tomorrow 20.

      I dont understand how to configure the WEF forwarding option on the SIEM Event Collector Utility to preserve the orgininating IP of the event.

      Are there any datasource types I can configure that will parse the events from the Windows Event Collector properly (preserving source IP of the orginating event)?

       

      Larger Question:

      How are you ensuring that ALL your data sources are added to the SIEM if  you have limited visibility into the production / operations environment. So if the helpdesk builds out 10 new workstations and a file server for a branch office --- how are you ensuring those assets are automatically added to the SIEM as datasources?

        • 1. Re: Native Windows Event Forwarding - How to?
          ryan.fitzpatrick

          When forwarding events from the domain controller using the McAfee Windows Event Collector, it only has 2 ways of differentiating events coming from the collector.

          the first is the IP address where the agent is forwarding logs from, the 2nd, is the log configuration field host id (only visible if MEF 6 displays in the bottom left corner).

           

          If the logs are all sent from the endpoints to the DC, and the DC places all the logs in the forwarded logs folder, then there will be minimal information available to differentiate where the logs come from, and the ESM will place the data source IP if no IP is parsed out of the log, which for application logs, typically it is not specified, and is extremely undesirable.

           

          If you guys are using ePO, you can use ePO to deploy a configuration to the endpoints, and configure auto-learning for MEF port 8081 on the receiver, and this will allow you to deploy the collector to your endpoints, retain visibility, minimal overhead for deployment, and new servers should get policy assigned via ePO to receive an agent.

           

          Just my thoughts on how I would handle this. automate deployment through ePO and enable auto-learning of MEF data sources on the receiver.

           

          Thank you,

          • 2. Re: Native Windows Event Forwarding - How to?
            Mikelb

            Hi

            I ran in to this same issue when I was testing using WEF a while ago.  I briefly spoke to McAfee about the Source IP/Host name problem, but as Ryan mentions above, the WEF events do not have the original source IP only the hostname so there does seem to be much that McAfee could do to rectify.

             

            What my plans are:

            - Windows Servers - is to use WMI for our server environment approx. 4000 servers - and somehow get across the server commissioning and decommissioning process and somehow automate/script the ESM side of things - I realise that it is going to be impossible to be collecting from 100% of our servers with this method.

             

            - Windows Workstations - current plan is to use WEF, we have 15000-20000 workstations (physical and VDI) that I need to pull events from, the best way to manage this (from my point of view in our environment) is to use WEF.  Understanding that there is the Source IP/Host name problem.

             

            Cheers

             

            Mike

            • 3. Re: Native Windows Event Forwarding - How to?
              moorej1

              Hi Mike, what eventually happened with your implementation?

              • 4. Re: Native Windows Event Forwarding - How to?
                tallmega

                I would also like to know how yours worked out.  I attempted the same configuration, but have not been hugely successful, as my collector keeps crashing out and stops forwarding events from the clients.

                 

                Feature request:  ESM should be able to differentiate events from different hostnames but sent from the same IP.

                • 5. Re: Native Windows Event Forwarding - How to?
                  ksudki

                  I was able to workaround this issue by using NXlog (Community edition) as McAfee agent is not able (again) to do it correctly. Here is the required configuration

                   

                  1. On the event collector machine install NXlog community edition.

                   

                  2. Create/replace the configuration file by the following (need to replace the <MCAFEE_EVENT_RECEIVER> by your receiver name/ip):

                   

                  define ROOT C:\Program Files (x86)\nxlog

                   

                  Moduledir %ROOT%\modules

                  CacheDir %ROOT%\data

                  Pidfile %ROOT%\data\nxlog.pid

                  SpoolDir %ROOT%\data

                  LogFile %ROOT%\data\nxlog.log

                   

                  <Extension _syslog>

                      Module      xm_syslog

                  </Extension>

                   

                  <Input in>

                      Module      im_msvistalog

                      Query <QueryList><Query Id="0" Path="ForwardedEvents"><Select Path="ForwardedEvents">*</Select></Query></QueryList>

                  </Input>

                   

                  <Output out>

                      Module   om_tcp

                      Host       <MCAFEE_EVENT_RECEIVER>

                      Port        514

                      Exec       to_syslog_snare();

                  </Output>

                   

                  <Route 1>

                      Path in => out

                  </Route>

                   

                  3. On the ESM, create a new data source as follow:

                   

                  Apply, and you should be good.

                   

                  Cheers!

                  • 6. Re: Native Windows Event Forwarding - How to?
                    tallmega

                    ksudki, that's awesome!

                     

                    But does that mean you need to create a custom syslog parser for every Windows event you want to track and correlate on?

                    • 7. Re: Native Windows Event Forwarding - How to?
                      ksudki

                      You do not need to create a custom parser.

                       

                      The only thing you should be careful with is event logging with Source_ip=127.0.0.1 where you will have to look on the Host field to know which host generated the event.

                       

                      I would not recommend this, but you can probably change the initial event based on some criterias (e.g regex) to adapt some of the field. I cannot guarantee that this will work as expected afterwards.

                       

                      It can be interesting if you can share your feedback if you are going in this direction

                      • 8. Re: Native Windows Event Forwarding - How to?
                        raph_m1k

                        I am researching the same thing, but have noted from these McAfee youtube and KB mentions the important of setting the Syslog Relay for the event to show the IP addresses of the hosts instead of the syslog server.

                         

                        Adding Syslog Data Sources to the McAfee SIEM Solution - YouTube

                         

                        McAfee Corporate KB - How to create Syslog parent/child datasources for Syslog NG KB74135