Scribd Logo
Upload

Welcome to Scribd!

  • Webinar Slides

    Uploaded by

    hieunt2489
    7 views14 pages
    This document discusses using the Windows Event Collector (WEC) to forward Windows event logs to LogRhythm. It provides an overview of how to set up WEC with subscriptions and destination logs on the collector. It then describes how to install LogRhythm System Monitor on the collector and add log sources for each destination log. The document outlines benefits like filtering noise at the source and not requiring agents. It also notes some limitations and challenges with using WEC.

    Original Description:

    Original Title

    Webinar-Slides

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses using the Windows Event Collector (WEC) to forward Windows event logs to LogRhythm. It provides an overview of how to set up WEC with subscriptions and destination logs on the collector. It then describes how to install LogRhythm System Monitor on the collector and add log sources for each destination log. The document outlines benefits like filtering noise at the source and not requiring agents. It also notes some limitations and challenges with using WEC.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views14 pages

    Webinar Slides

    Uploaded by

    hieunt2489
    This document discusses using the Windows Event Collector (WEC) to forward Windows event logs to LogRhythm. It provides an overview of how to set up WEC with subscriptions and destination logs on the collector. It then describes how to install LogRhythm System Monitor on the collector and add log sources for each destination log. The document outlines benefits like filtering noise at the source and not requiring agents. It also notes some limitations and challenges with using WEC.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    5/16/2017

    LogRhythm and Native Windows


    Event Forwarding: How to Do It Sponsored by

    Right, Filter the Noise and


    Simplify your Infrastructure

    © 2017 Monterey Technology Group Inc.

     Made possible by

    Thanks to

    1
    5/16/2017

    System
    Monitor
    System
    Monitor
    System
    Monitor
    System
    Monitor
    System
    Monitor
    System
    Monitor
    System
    Monitor

    Preview of Key
    Points
    System
    Monitor

    Nothing installed on Noise filtered at source


    production systems

    Event
    Subscription
    Log
    LogRhythm

    Preview of Key System


    Windows Event CollectorMonitor

    Points Subscription
    Event
    Log

    Many more systems can


    be monitored

    No inbound connections
    or credentials requred

    2
    5/16/2017

     Resources and capacity


     Network Bandwidth
     EPS/MPS Reduction
     Simplification
    Benefits of  No Service Accounts
    WEC with  No agents to
     Install
    LogRhythm  Update
     Manage
     Convince admins to allow

     Public cloud environments


     For environments with ephemeral hosts that would otherwise require
    manual configuration in the SIEM, using a WEC remove this challenge as
    log sources are automatically collected.
     For ephemeral IaaS hosts WEC is best approach

    Benefits of
    WEC with  LogRhythm supports WEC
    LogRhythm  LogRhythm Known Host works with WEC

    3
    5/16/2017

     Setup Windows Event Collector


    How to do it  Setup Subscriptions and Destination Logs on collector
     Install LogRhythm System Monitor on collector
     Add Log Source to System Monitor for each Destination Log

     Log Message Source Type


     MS Windows Event Log XML - Security

    Add Log
    Source to
    System
    Monitor for
    each
    Destination
    Log

    4
    5/16/2017

     Use Flat File Settings to define the specific log

    Add Log
    Source to
    System
    Monitor for
    each
    Destination
    Log

    Beyond the  Multiple log types


     Don’t re-use Application and System on Collector
    basics  Options
     LogRhythm Log Source Virtualization
     Using Custom Event Forwarded Destinations

    5
    5/16/2017

     LogRhythm has 2 log formats for getting Windows event logs


     Classic
     XML
     Use this when present for given log type

     To specify a different physical log

    Log sources

     Log Source Host = WEC collector


     Impacted or Origin Host = Forwarding computer (aka event source
    computer)
     LogRhythm Known Host works with WEC

    Noise filtered at source


    with Xpath filter on
    Subscription

    Windows Event Collector

    Event
    Subscription
    Log

    2-level noise System


    Monitor

    filtering Subscription
    Event
    Log

    More noise filtering

    6
    5/16/2017

    Level 1 –
    WEC
    Subscription
    Xpath filters

    Level 2 –
    Using Global
    Log
    Processing
    Rules
    RegEx

    7
    5/16/2017

     Windows Event Collection rocks


     Built into Windows
    Bottom Line  No agents
     Noise filtering at the source
     No inbound/remote collection or configuration
     Efficient
     Resilient

    Windows  No management
     How to manage multiple collectors?
    Event  Is WEC really working?
    Collection is a  Which computers are failing to forward security logs?
     Are we missing any computers?
    foundation  Is my WEC collector overloaded?
     Dropping events?
    technology  Unresponsive?
     Approaching capacity?
     How do I distribute load of many event sources between multiple
    collectors?

    8
    5/16/2017

    Windows  Need for custom logs to separate sourcetypes


    Event  But no way to create custom logs that WEC will support as a destination
     Build XML manifest file
    Collection is a 

    Compile with Message Compiler mc.exe
    Compile with Resource Compiler rc.exe
    foundation 

    Register event source
    Xpath filtering is powerful but
    technology  Requires knowledge and testing of cryptic syntax
     Requires expert knowledge of security log events so that you don’t suppress
    important security events
     Windows needs to be optimized to avoid dropped events and WEC hangs

     Brings all your


    WEC collectors
    around the world
    onto one pane of
    glass
    Supercharger
    for Windows
    Event
    Collection

    © 2017 Monterey Technology Group Inc.

    9
    5/16/2017

     Brings all your


    WEC collectors
    around the world
    onto one pane of
    glass
    Supercharger
    for Windows
    Event
    Collection

    © 2017 Monterey Technology Group Inc.

    Manage
    subscriptions
    consistently
    across all
    collectors

    10
    5/16/2017

    Create custom
    logs supported
    by WEC in
    seconds

    Load balance
    computers
    between
    collectors

    11
    5/16/2017

    Optimize each
    collector
    automatically
    to support
    high volume
    WEC

    All settings
    exposed via UI

    At a glance
    performance
    and health
    indicators

    12
    5/16/2017

    3 ways to
    measure
    health

     Download Supercharger manager at


    Supercharger  https://www.logbinder.com/Form/SCDownload
    for Windows  Installs in minutes
     Install agent on each collector
    Event  5 minutes
    Collection  Automatic upgrades of all collector agents
     Get instant and global visibility and control
     Instant price quote
     https://www.logbinder.com/Products/Supercharger/Pricing

    13
    5/16/2017

    www.logbinder.com

    14

    You might also like