3 Replies Latest reply on Apr 30, 2016 7:19 AM by andy777

    Best way to add lots of data sources on DHCP network

    d_j

      As the title says, I am trying to figure out the best way to add lots of data sources. Using SIEM collector is not an option for me and I'd like to shy away from WEF due to the source IP changing once it's ingested into the SIEM. I feel pretty comfortable with using the CSV method. I envisioned exporting a list of the computer names in AD and adding them to the CSV. I figured I could import it leaving the IP blank and that is not the case. Without statically assigning IPs (which the organization won't), I am at a lost. Auto learning would be cool but it needs to be agentless. We do have ePo setup and thought I could just utilize the McAfee agent to grab that logs but that isn't the case. Any body else out there faced this? I'd be interested in how you tackled it. Thanks in advance.

        • 1. Re: Best way to add lots of data sources on DHCP network
          andy777

          It looks like you have two questions in there.

           

          1. What is the best way to add lots of data sources?

           

          Options for adding data sources include:

          •      Manually configured one by one
          •      Import a list via spreadsheet
          •      Use autolearning - works for syslog and agent-based protocols.
          •      Add Active Directory, populate the asset database, then select and add the devices.

          add-ds-assets.PNG

           

          2. What protocol will I use to transport the logs from Windows devices?

           

          Options for transporting Windows logs include:

          •      WMI - Receiver logs into device, pulls logs from Event log. Requires static IP to log into.
          •      Windows Collector - Will send Event log + any files encrypted to Receiver. Works with DHCP and autolearn.
          •      Syslog agent - Something like SNARE.
          •      WEF+Collector  - Since WMI limited on what it collects and we always want to reduce agent footprint, take a hybrid approach. Deploy the SIEM Collector as needed to devices that have extra logs (DHCP, DNS, etc) or act as WEF hubs for the other windows devices. Logs can be sorted back out on the ESM via hostname.

           

          I'm not sure any combination of the options meet all of your criteria but hopefully this helps clarify what is possible.

          1 of 1 people found this helpful
          • 2. Re: Best way to add lots of data sources on DHCP network
            d_j

            Thanks for the reply. The Active Directory option seems like it would work, I will try in Monday when I go back in. Once it is added as a data source via that option, will the IP the receiver is tracking for the source be updated dynamically or once the workstation changes its IP, the data source will no longer communicate with them? The organization running DHCP versus statically assigning IPs makes it a challenge.

            • 3. Re: Best way to add lots of data sources on DHCP network
              andy777

              In the context of two questions:

              The Active Directory option makes it easy to highlight and add data sources but it's not going to help with DHCP.

               

              And for the second question.

              The IP will not be updated. You must use an agent and/or WEF to deal with DHCP.