1 of 1 people found this helpful
It looks like you have two questions in there.
1. What is the best way to add lots of data sources?
Options for adding data sources include:
- Manually configured one by one
- Import a list via spreadsheet
- Use autolearning - works for syslog and agent-based protocols.
- Add Active Directory, populate the asset database, then select and add the devices.
2. What protocol will I use to transport the logs from Windows devices?
Options for transporting Windows logs include:
- WMI - Receiver logs into device, pulls logs from Event log. Requires static IP to log into.
- Windows Collector - Will send Event log + any files encrypted to Receiver. Works with DHCP and autolearn.
- Syslog agent - Something like SNARE.
- WEF+Collector - Since WMI limited on what it collects and we always want to reduce agent footprint, take a hybrid approach. Deploy the SIEM Collector as needed to devices that have extra logs (DHCP, DNS, etc) or act as WEF hubs for the other windows devices. Logs can be sorted back out on the ESM via hostname.
I'm not sure any combination of the options meet all of your criteria but hopefully this helps clarify what is possible.
Thanks for the reply. The Active Directory option seems like it would work, I will try in Monday when I go back in. Once it is added as a data source via that option, will the IP the receiver is tracking for the source be updated dynamically or once the workstation changes its IP, the data source will no longer communicate with them? The organization running DHCP versus statically assigning IPs makes it a challenge.
In the context of two questions:
The Active Directory option makes it easy to highlight and add data sources but it's not going to help with DHCP.
And for the second question.
The IP will not be updated. You must use an agent and/or WEF to deal with DHCP.