This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Integrate A Windows System Agentless?

Anonymous
Not applicable

‎2014-02-12 02:18 AM

How we can integrate an windows system with RSA Security Analytics agentless.

Do we need to run the "winrm" command on windows system?

 

Thanks in advance.

24 REPLIES 24

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2014-02-12 03:19 AM

I would recommend taking a look on RSA SecurCare Online. There are device configuration guides on there for customers:

 

https://knowledge.rsasecurity.com/scolcms/set.aspx?id=9838

0 Likes

Anonymous
Not applicable
In response to LeeKirkpatrick

‎2014-02-12 03:45 AM

Microsoft Windows Eventing Collection

 

Is this guide will help to achieve the windows logs by agentless method?

Kindly confirm.

0 Likes

Anonymous
Not applicable

‎2014-02-24 03:42 AM

Hi deepnashu,

 

for http collection just follow those steps:

 

 

..:: Windows side::..

 

1) Create user which will be used to access eventlog

 

2) RUN "winrm configsddl wmi"

     (in 2008 R2+ without "wmi")

 

3) add user and set "Read" permission for him

 

4) RUN "wmimgmt"

 

     WMI Control -> Properties -> Security -> CIMV2 -> Security

     add user -> check "Enable Account", "Remote Enable"

 

5) RUN "winrm quickconfig"

 

6) RUN "winrm set winrm/config/service/auth @{Basic="true"}"

 

7) RUN "winrm set winrm/config/service @{AllowUnencrypted="true"}"

 

😎 RUN "wevtutil gl security"

     - > Copy SDDL string and add "(A;;0x1;;;S-1-5-20)" to the end of that.

 

9) RUN "wevtutil sl security /ca:YOUR_SSDL(A;;0x1;;;S-1-5-20)"

     example: wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

 

Optionaly

 

RUN "winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS_OF_SA"}"

 

RUN "netsh firewall add portopening TCP 5985 "WinRM-Port 5985""

 

 

 

..:: SA ::..

 

1) Devices -> Collector -> Explore -> logcollection -> windows -> eventsources right click -> Properties -> Add

 

     alias=NAME username=WIN_USER password=PASS read_all_events=true

 

2) Devices -> Collector -> Explore -> logcollection -> windows -> eventsources -> ALIAS right click -> Properties -> Add

 

     eventsource_address=IP_OF_WIN port_number=5985 transport_mode=http

Anonymous
Not applicable
In response to Anonymous

‎2014-02-24 03:47 AM

Thanks for sharing this alot.

Are the steps same for integration with Windows Server 2003 for agentless, as we have the Windows Server 2003 also for the integration with SA.

 

Kindly confirm this also, and if yes then please share all the steps for the same.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-02-24 05:56 AM

Legacy Windows is different. You need to install the legacy collector executable on a domain Windows machine (or VM). As part of the installation you input the domain credentials. When the legacy collector is installed you can add this device within managed monitored devices in the SA UI and also connect via rest API to the device.

 

Once that is done you need to add the event sources which should be self explanatory. All configuration steps for the 2k3 devices again can be obtained within SCOL. Collection is by WMI using NetBIOS (port 139 and 445 off the top of my head).

 

Hope this helps.

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-03-18 12:37 PM

Thanks for clarifying this! I found no docs of legacy collector description - only how to install it

What do I need to set it up properly?

1) Installed it on 2008 R2 system, added to SA

2) Added local collector and event source (windows 2003) in SA

3) Changed lockbox password

4) Deployed "Windows Events (NIC)" log device content on it

5) Restarted the service (btw it doesn't come up automatically should do this manually via services in win)

Nevertheless service in a device view shows in sa as:

Appliance Service Information ( Device not available)

 

Logs give me:

An error occurred creating an AMQP channel: : connection closed unexpectedly

Unable to start AMQP Log Receiver: : connection closed unexpectedly

 

What else should I do for service to come up? Have anyone has encountered such issues?

0 Likes

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-03-18 12:53 PM

Device not available is ok because no appliance service on the legacy log collector。

Did you open the firewall for port 5671?

 

Thanks.

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-03-18 01:23 PM

Just thought I would share this.. We had issues with WINRM and a PS guy gave me this script to run instead of typing it manually.

RSA_enVision_winevent_config.ps1
0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-03-18 07:32 PM

thanks for sharing the script

© 2022 RSA Security LLC or its affiliates. All rights reserved.