0 Replies Latest reply on May 25, 2016 3:59 AM by nir_halfon

    [Tip] Sysinternals Sysmon logs and parser

    nir_halfon

      This is the way to do it.

       

      Step 1: You should install Sysmon on all computers.

      Step 2: Configure Windows Event Subscription on central Windows server to pull all Sysmon logs from clients and store in "Forward Events".

      Step 3: Install on this Windows Server "NX Log Free Edition" and configure it to send Syslog in JSON format to McAfee SIEM.

      Step 4: Create new device with IP on that Windows Server and enable Generic Syslog support.

      Step 5: Enable JSON parser on the device policy.

       

       

      POC

      Untitled.png