NetWitness Community

VishamRawat · ‎2019-08-16

Which ports do I need to open for collecting logs from windows servers?

Far as I know it's 5985 or 5986, bi-directional, between the windows event source and rsa sa log collector. Do I also need to open port 80 or 443, bi-directional?

Also, is it TCP or UDP?

Please let me know what it is for port 514 as well - TCP or UDP?

DaveGlover · ‎2019-08-16

Visham

You are correct. However you also need port 88 open from the log collector to the KDC that you defined in the Realm config.

Dave

VishamRawat · ‎2019-08-16

Hi Dave,

So I need both ports 80/443 and 5985/5986 open to collect logs from the windows event, correct?

Also, what of port 88? I've not had it open earlier. What exactly does it collect from KDC?

DaveGlover · ‎2019-08-16

Visham

As far as I know only 5985/5986 is used and not 80/443. You may want to monitor this connection to validate this.

Port 88 is used for the log collector to collect a KDC to obtain a Kerberos ticket. This ticket is used to authentic the connection to your target windows hosts

Dave

VishamRawat · ‎2019-08-16

Hi Dave,

So, port 88 is to be opened only between the Log Collector and the Domain Controllers right? not every individual windows host, correct?

DaveGlover · ‎2019-08-16

You are correct

VishamRawat · ‎2019-08-16

Yes, it's only port 5985/5986, confirmed!

NetWitness Community

Ports for Windows server log collection