3 Replies Latest reply on Dec 20, 2016 3:38 AM by sssyyy

    Workstation Logs to SIEM in DHCP world


      Anyone have a best practices guild for deploying SIEM Collector Agent to workstations and configuring the logs sources knowing DHCP is in use.





        • 1. Re: Workstation Logs to SIEM in DHCP world

          I've spoken to 3 different McAfee support tech's regarding this topic.  And I believe the gist of what I'm hearing is they recommend using Windows Event Forwarding to collect logs to the WEF server.  Then configuring WEF with the SIEM collector to send the events to the SIEM.  We originally just used SIEM Collector on each workstation, but when using DHCP and the IP changes (e.g. a laptop undocks and gets on wifi or goes home and connects over VPN) the IP changes and the data source is bound to the IP.  Using WEF allows us to set it up via GPO which will also help us to not have to build a data source for each workstation build.  It also minimizes the traffic coming from every host over a WAN to the ERC (if applicable for your environment).


          The only issue I have right now is a big time delta issue for the WEF server in ESM.  If I resolve that and remember to, I'll re-post any improvements needed to fix that.


          Here's a good blog post from Scott Duffey from Microsoft on setting up WEF for those interested. DIY Client Monitoring – Setting up Tiered Event Forwarding – Canberra Premier Field Engineering: Team Blog

          • 2. Re: Workstation Logs to SIEM in DHCP world

            This was my goal too, unfortunately Microsoft does not include the IP of the event generating workstation in the event, so this means workstation logs are all stored under the same ESM data source (the collector server).  That may or may not work for you, but it makes correlation rules pretty difficult.

            • 3. Re: Workstation Logs to SIEM in DHCP world

              Haven't tried this myself, but I thought endpoint WMI can be achieved by using SIEM collector configured using Host ID rather than source IP address. But the FW rules will be a nightmare, unless you specify the entire endpoint subnet.