This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

best way to configure Windows devices for WinRM and add as event source

Go to solution
JeremySamiec
Beginner
Beginner

‎2016-12-16 04:44 PM

I would like to know the best way to configure windows servers and add them to NetWitness. The process I have right now (Windows Event Forwarding) has its own set of issues and would like something more native to NetWitness. However, manually running of scripts on a bunch of host servers (over 10K Windows servers) is not reliable and then having to create and import CSV's is another manual process.

 

is there anything more automated and enterprise friendly?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MihaMesojedec
Employee
Employee

‎2016-12-19 04:43 AM

You can use MS GPO option and official RSA Powershell script (winrmconfig.ps1) to configure WinRM settings on your machines.

 

https://community.rsa.com/community/products/netwitness/parser-network/event-sources#M  

WinRM Diagnostic Tool  

 

I created small PS script (not official RSA script) which you can add at the end of the "winrmconfig.ps1" script and this will automatically add your hosts to RSA NetWitness via REST API interface on your Log Collector. Only manual step is to create Event Category in your Log Collector and then define parameters in REST API powershell script.

 

Event sources will be added to Log Collector with FQDN (test.domain.com). If you want to change this then you need to modify powershell script to grab IP of machine and pass it to REST API call.

View solution in original post

Add_Win_EventSource_REST_API.ps1.zip
18 REPLIES 18

Go to solution
MihaMesojedec
Employee
Employee

‎2016-12-19 04:43 AM

You can use MS GPO option and official RSA Powershell script (winrmconfig.ps1) to configure WinRM settings on your machines.

 

https://community.rsa.com/community/products/netwitness/parser-network/event-sources#M  

WinRM Diagnostic Tool  

 

I created small PS script (not official RSA script) which you can add at the end of the "winrmconfig.ps1" script and this will automatically add your hosts to RSA NetWitness via REST API interface on your Log Collector. Only manual step is to create Event Category in your Log Collector and then define parameters in REST API powershell script.

 

Event sources will be added to Log Collector with FQDN (test.domain.com). If you want to change this then you need to modify powershell script to grab IP of machine and pass it to REST API call.

Add_Win_EventSource_REST_API.ps1.zip

Go to solution
JeremySamiec
Beginner
Beginner
In response to MihaMesojedec

‎2016-12-19 03:27 PM

This is awesome, thank you!

 

Now, I am not an admin on the RSA NW servers, what permissions are required to connect to the REST API? Is this configurable on the log collector 'role permissions' page?

 

pastedImage_3.png

I would like to create a local acct that only has access to the REST API to perform the actions of the script, but am not sure what/how to ask the admin to set the permissions.

 

Thank you very much

0 Likes

Go to solution
MihaMesojedec
Employee
Employee
In response to JeremySamiec

‎2016-12-19 03:42 PM

You need to define Role (for example "Rest_API") and User (for example "rsaapi") in your Log Collector (LC) to have access only to Rest API on your LC.

LC_Role.jpg

 

LC_User.jpg

 

User will have access to manage only LC via Rest API, but NO option to access NetWitness via GUI. 

 

Output when script is successfully executed.

LC_Win.png 

Go to solution
JeremySamiec
Beginner
Beginner
In response to MihaMesojedec

‎2016-12-19 03:54 PM

Thank you, I will try that when the admin is available.

I appreciate the help.

0 Likes

Go to solution
MihaMesojedec
Employee
Employee
In response to JeremySamiec

‎2016-12-19 04:06 PM

I don't think you can be more granular in permissions and limit user to configure only Windows events sources via Rest API.

Make sure you have access to port 50101 on your LC(s).

You can always modify iptables on your Log Decoder and limit access to LC from specific subnets to port 50101. When you are done with configuration you can always remove iptables rule.

Go to solution
JeremySamiec
Beginner
Beginner
In response to MihaMesojedec

‎2016-12-19 04:16 PM

Do you know if there is a reason the REST API would not respond over 50101 on some log collectors? 

0 Likes

Go to solution
MihaMesojedec
Employee
Employee
In response to JeremySamiec

‎2016-12-19 04:19 PM

Connection restrictions on Log Decoder (check iptables) or your Firewall rules.

0 Likes

Go to solution
JeremySamiec
Beginner
Beginner
In response to MihaMesojedec

‎2016-12-19 05:11 PM

What is the script you ran to test the API?

0 Likes

Go to solution
MihaMesojedec
Employee
Employee
In response to JeremySamiec

‎2016-12-19 05:16 PM

Script attached to this post, but I rename it when I attached it here.

 

As well you can enable SSL for REST API, but then you need to change powershell script to accept certificate for LC or ignore it.

 

Here is how you enable SSL for REST API.

You need to restart LC service, before settings take effect.

Enable_SSL_Rest_API.png

© 2022 RSA Security LLC or its affiliates. All rights reserved.