How to Integrate Windows Devices
We can install windows connector for integrating windows-based device.
There are two types of Windows Connector
1.Microsoft Windows Event Log Unified
2.Microsoft Windows Event Log Native
The major differences between these connectors are,
- Performance wise Microsoft Windows Event Log Unified connector is better than Microsoft
Windows Event Log Native connector.
- Unified Connectors can be installed on both platform (Windows/Linux). That means we can install
Windows OS or Linux OS on the server where the connector installing.
- Native Connectors can be installed on Windows platform only.
- We can’t modify the parser file in Unified Windows Connectors.
- We can modify the parser file to an extend in Native Windows Connectors
- 95% of the devices can integrate with Microsoft Windows Event Log Unified
Windows Device Integration - Steps
Step 1
First of all, you need to find out which all devices you are going to integrate with ArcSight SIEM using
the Device Inventory Document which contains the number of devices and their locations. Then
integrate the devices to the location specific connectors.
Step 2
Install Windows Connector.
only one setup file is available from the Microfocus for all the connectors.
Download the ArcSight setup and install, then select the appropriate connector specific to the end
device.
Step 3
Enable the connectivity between the Connector and the End Devices.
We can use ping command to check the connectivity between connectors and devices
Step 4
Port Number SMB 445 (TCP), Should be enabled. Then only windows connectors can pull the logs.
Step 5
Create a Domain Service Account with a non-expiry password.
So that connector can login and pull the logs from the event viewer
Step 6
Audit should be enabled on the security devices that we are integrating.
Then only windows devices can generate logs.
Step 7
Remote Procedure Call (RPC) service should be enabled on the end devices.
Then only the connectors can pull the logs from end devices
Step 8
Launch the connector that you installed and enter the IP Address/Host Name of the security Device
that needs to be connected.
Step 9
Login to the Domain Service Account by entering User Name and Password.
Step 10
Select the OS and click on next.
Once we click on the next it will check the parameters, like whether (TCP - SMB port number 445 is
open or not in firewall, RPC service is enabled in end device or not and Audit is enabled or not in end
device).
If any parameter is not valid the it will generate the error "Parameter Validation Failed".
Step 11
Finally, verify whether devices are sending logs or not
For that, Login into ESM and Logger, then give the query Device Address=IP Address of the End device
0 Comments