1 Reply Latest reply on Jun 13, 2016 12:59 PM by btkarp

    Parent-Client datasources via SIEM Collector 11

    vandecasteelenicolas

      Hi all,

       

      I was wondering if Parent-Client datasources can be used for SIEM collector 11 datasources?

      Under my receiver I would create a parent datasource called WINDOWS_COLLECTOR_EVENTLOG with the following settings:

      1.png

      The design would be to add all servers under WINDOWS_COLLECTOR_EVENTLOG, and if there server has multiple roles it will be added as well to for example parent data source WINDOWS_COLLECTOR_DHCP, this to catch if there's multiple types of datasources from 1 host. Our SIEM consultant told us that we could use non-routable IP addresses for parent data sources, so that's how we're currently setting up things..

      Then at the clients tab I would like to add multiple servers, but to test I started with 1 data source:

      2.png

       

      for reference, the config on the server itself for the collector:

      3.png

      When it is added like this it's not working. When I work without the fictional IP on the parent (so just add it as a plain data source) it does work. What am I doing wrong to add collector sources as a client data source?

      I tried leaving the host blank in the parent source but that also doesn't seem to help.Can I work only with parent client if this server does all the event collecton for all servers?

       

      Thanks,

      Nicolas

        • 1. Re: Parent-Client datasources via SIEM Collector 11
          btkarp

          vandecasteelenicolas

           

          I think you want the Parent / Client relationship instead of the Parent / Child. The Parent / Child set up still takes up against your overall allowed number of data sources on the Event Receiver, while the Parent / Client does not.

           

          The way I have set up my environments is as such:

           

          Parent: Logcollection-wmi (using the WMI / MEF parent data source profile)

          Clients: All of my wmi logs from all of my hosts report here. Example below.

          Hostname: SERVERA-WMI

          IP: Server A IP Address

          Host ID: ServerA-wmi

          --------------------------------------------------------------------------

          Parent: Logcollection-iis (using the IIS / MEF parent data source profile)

          Clients: All IIS related logs report to this parent. Example below.

          Hostname: SERVERA-IIS

          IP: ServerA IP Address

          Host ID: ServerA-iis

           

           

          So, Server-A has two separate SIEM data source profiles in sends logs to - IIS and WMI. Hope this makes sense or helps you figure out your issue.