This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

WinRM - Can We Set The Other Logging Levels In It

Anonymous
Not applicable

‎2014-06-24 12:21 AM

Hello All,

 

              Do we have any kind of setting in WinRM service to run and send the logs on DEBUG, INFORMATION, CRITICAL, ALL.

So if we want only the logs which are CRITICAL in Windows machine and the machine is configured through WinRM with Security Analytics.

Then how we will be able to recieve those logs in SA.

Any setting in WinRM that we can change or set according to our requirement.

 

Kindly suggest someone on this, I am waiting for your response.

 

Thanks to all.

0 Likes
7 REPLIES 7

RSAAdmin
Beginner
Beginner

‎2014-06-24 03:36 AM

It's a windows limitation that you cannot granularly select which types of events you want to receive.

 

Hope this helps.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-06-24 03:44 AM

Hello Patrick,

 

Is their any way on the windows that we can do it.

Or any way which can be possible if we only want to collect specific types of logs by WinRM Service

 

Kindly suggest.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-06-24 03:48 AM

I'm pretty sure it isn't possible using WinRM. If you did however want to use a third party agent (such as SNARE) then I believe this allows you to filter what is forwarded to SA/ any other SIEM.

 

Obviously this introduces additional challenges around installing an agent

 

You can get a trial licence - have a play with that and let me know how you get on.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-06-24 03:58 AM

Our main challenge is to do this without any third party agent.

Because in future if the agent crash down then this will again create a problem for us.

And the most important thing this that why I want this service because in my windows machine I have enabled that if any file or folder created in the machine, the log is created and also i can check the same related logs in the event viewer, but if i tries to find and view the log in SA. I am not able to find the log related to this.

 

Then how I can check in the SA,that if any file or folder created on the windows machine, i can get a list of the logs which is been created or the modifications has been done.

 

Hope you can understand this, that what I am trying to explain to you.

 

Thank you.

0 Likes

RSAAdmin
Beginner
Beginner

‎2014-06-24 05:04 AM

Hi,

I see one way of doing it - just leave events that you need in parser and delete all the other. It's ugly, but you will get only events that you need - others will go to other event source of type "unknown" and the same ip. You can clean this "unknown un-needed info" afterwards.

Also there could be a way of doing it through registry or through user rights, but I cannot find it, maybe it's not that granular.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-06-27 02:53 PM

Would be smarter to just make an app rule to delete the logs as they come in by message ID.  Deleting the parsers might cause issues in the long run if they want them turned back on. 

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-07-09 09:28 AM

Thanks for advice, totally forgot that app rules can not only alert but manage data processing

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.