This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Integrate A Windows System Agentless?

Anonymous
Not applicable

‎2014-02-12 02:18 AM

How we can integrate an windows system with RSA Security Analytics agentless.

Do we need to run the "winrm" command on windows system?

 

Thanks in advance.

24 REPLIES 24

Anonymous
Not applicable
In response to huanzhou1

‎2014-03-18 08:00 PM

No problem

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-03-19 03:01 AM

Hi!

It's a script from SCOL (hidden in envision event sources) - I don't know why it is not mentioned in sa docs, doing that by hand is painful.

I'll attach the same script in vbs from SCOL. It setups winRM for http/https automatically.

There is also a script for 2003 that automates log reading privilege setup for non-admin user. Ping me if anyone needs it.

Tested all of that with Envision, in SA only 2008 collection through local user basic auth works for me right now.

 

Regarding Legacy collector (WMI - 2003)

Still fighting the same errors with AMQP channel, port 5671 is open on legacy collector and local collector.

 

Regarding Decoder win collector (WinRM - 2008)

Collection service supports NTLM (basic) auth for local accounts but only Kerberos for Domain accounts.

(this is new in 10.3 I guess) Does anyone know how to use basic auth with domain accounts because it is enabled in domain? (Will try to setup Kerberos, but this will take time)

Sample error:

Unable to subscribe for events with Windows event source 1.1.1.1: 401/Unauthorized.

Possible causes:

- Event source using basic authentication with Domain account (user@DOMAIN.LOCAL). Domain accounts do not work with basic authentication.

Preview file
8 KB

Anonymous
Not applicable
In response to RSAAdmin

‎2014-03-19 03:17 AM

Hi N1k for h sharing this useful information, but kindly also share the script for Windows 2003 aswell.

And we had overcome with the problem of Windows Server 2003 log collection.and it's been working fine now.

 

Regards,

Deepanshu.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-03-19 03:47 AM

Hi,

How have you solved the 2003 collection? You had the same errors? Please describe your steps. (my steps are in post 6)

The user that was specified during legacy collector install is local admin on event sources?

 

Regarding 2003 non-admin user. The script is in the attachment.

1. Create a user

2. Modify a script (line 14: compname = "" and end of line 16: User Name=''  ) and launch it under admin.

3. What it does is described here - How to set event log security locally or by using Group Policy in Windows Server 2003

Thank rsa for that script

useradd.vb_
0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-03-19 03:55 AM

Hi n1k for sharing the script, yes we successfully integrated our Windows Server 2003 by agentless method by installing the windows legacy software.

To integrate your windows server 2003, you need to install the windows legacy collector .exe file on your any Windows Server 2008 machine, which should be in the network, and also the user you created for event source integration must be login by windows server 2003 machine and also by windows server 2008 machine as well, and also need to be in same AD.

 

When you are going to install the legacy collector, it asks you for the username and password, in that you need to add the username with the password you created for your windows logs collection.

 

If you require an steps for the installation of Windows Legacy collection, i have an guide.

 

Rgrds,

Deepanshu Sood.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-03-19 05:13 AM

Guys,

I set up a kerberos realm (in web gui) then used it in 2008 event source. Mind that it should be used in uppecrcase when specified in username username@KERBEROSREALM and you should use FQDN not IP for event source. Here's some useful links (10.3 and 10.2SP2 config is the same):

Configure Kerberos Authentication - RSA Security Analytics Documentation

Windows Kerberos Configuration Parameters - RSA Security Analytics Documentation

So I managed 2008 collection with local (ntlm) and domain (kerberos) accounts.

Now back to 2003 legacy collector

 

PS. Didn't manage to keep up with the changes. First there was no kerberos, then kerberos was setup via ssh, now it is forced to use and is setup through web gui

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-03-19 11:42 AM

Well, I managed to conquer 2003 legacy collection. Maybe my practice would be of any help (because legacy collector has 1 poor doc):

1. Install and run it under the same domain user which has log read privilege and is a local admin on 2008 machine where it is being installed

2. Set timezone to the same as on log collector (UTC)

3. Open ports and disable some antivirus/hips features (mine was not blocking the port or response but the service after it responded - so in telnet it was ok)

4.Connect to SA, deploy live content to it: Windows Events (NIC) Log Collector Configuration

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-03-21 10:25 AM

yah, like the warehouse, more gui now.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-03-24 08:47 AM

Are your problems solved while implementing Windows legacy Device ?

Let me know if i can be of any help.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-03-24 08:54 AM

Thanks Mudit for asking, but it's been resolved now and working fine now.

 

Have a good day.

 

Regards,

Deepanshu Sood.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.