Configuration Options for Systems with Restricted Policies for Domain Controller Credentials
Users with appropriate remote access permissions might be able to collect events from remote systems without using domain administrator credentials. Depending on what information you collect, the user might need extra permissions. For example, a user might need to collect Security event logs remotely. Therefore, the user that is configured in the JSA log source must have remote access to the Security event log from the server where the Agent is installed.
For remote collection, the WinCollect user must work with their Windows administrator to ensure access to the following items:
-
Logs for security, system, and application events
-
The remote registry
-
Any directories that contain .dll or .exe files that contain message string information
With certain combinations of Windows operating system and group policies in place, alternative configurations might not be possible.
Remote collection inside or across a Windows domain might require domain administrator credentials to ensure that events can be collected. If your corporate policies restrict the use of domain administrator credentials, you might need to complete more configuration steps for your WinCollect deployment.
The following permissions and credentials are required for service accounts to access remote polling log sources that WinCollect supports.
Permissions |
Log Sources |
---|---|
The service account needs to be able to access the folder that the log file is in and open the file. |
|
The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain administrative privileges are usually required to poll a Windows event log across a domain. |
Microsoft Windows Security Event Log |
When WinCollect agents collect events from the local host, the event collection service uses the Local System account credentials to collect and forward events. Local collection requires that you install a WinCollect agent on a host where local collection occurs.
Changing WinCollect Configuration from the Command Line
You can change the configuration of a WinCollect agent from the command line of the Windows host.
After the initial installation of a WinCollect agent on a Windows host, you can change the configuration by using the installhelper.exe file that is located in the <WinCollect_installation_path>/bin.
The following configuration parameters can be modified:
Parameter |
Description |
---|---|
Authentication Token |
Authorizes the WinCollect service, for example, AUTH_TOKEN=af111ff6-4f30-11eb-11fb-1fc1 17711111 |
Configuration Server (host and port) |
The IP address or host name of your JSA Console, for example, 100.10.10.1 or myhost. |
Default Status Server Address |
Displays the IP address of the Configuration Server, where status messages from the WinCollect agent are sent. |
Local IP |
Use this setting to select the IP address that is displayed for all log sources on systems with multiple network interface cards (NIC). |
Originating Computer |
Use this setting to select the IP address that is displayed only for Windows events on systems with multiple NICs. |
The installHelper.exe file has the following update flags:
-h [--help] |
Provides detailed information on the installHelper.exe usage options. |
-P [ --update-password ] |
Update a password in the AgentConfig.xml configuration file. Specify the Login.Handle and new password, colon separated. For example, 1:MyNewPassword. Note:
The password is in plain text. |
-F [ --update-password-with-file ] |
Update a set of passwords in the AgentConfig.xml configuration file using an external file. Specify the Login.Handle and new password, colon separated, one per line. For example, 1:MyNewPassword. Note:
Make sure you erase the input file or keep it secured. |
-T [ --update-auth-token ] |
The new authentication token to be used to communicate with the configuration server. |
-L [localIP] |
Use this setting to select the IP address that is displayed for all log sources on systems with multiple network interface cards (NIC). For example, installerhelper.exe -L 192.0.2.0 |
-O [OrigComputer] |
Use this setting to select the IP address that is displayed for Windows events on systems with multiple NICs. For example, installerhelper.exe -O 198.51.100.0 |
For example, to change an authorization token for a WinCollect agent, type the following in the command line of the Windows host:
<WinCollect_installation_path>/bin/installHelper.exe -T <authorization_token>
Local Installations with No Remote Polling
Install WinCollect locally on each host that you cannot remotely poll. After you install WinCollect, JSA automatically discovers the agent and you can create a WinCollect log source.
You can specify to use the local system by selecting the Local System check box in the log source configuration.
Local installations are suitable for domain controllers where the large event per second (EPS) rates can limit the ability to remotely poll for events from these systems. A local installation of a WinCollect agent provides scalability for busy systems that send bursts of events when user activity is at peak levels.
Configuring Access to the Registry for Remote Polling
Before a WinCollect log source can remotely poll for events, you must configure a local policy for your Windows-based systems.
When a local policy is configured on each remote system, a single WinCollect agent uses the Windows Event Log API to read the remote registry and retrieve event logs. The Windows Event Log API does not require domain administrator credentials. However, the event API method does require an account that has access to the remote registry and to the security event log.
By using this collection method, the log source can remotely read the full event log. However, the method requires WinCollect to parse the retrieved event log information from the remote host against cached message content. WinCollect uses version information from the remote operating system to ensure that the message content is correctly parsed before it forwards the event to JSA.
-
Log on to the Windows computer that you want to remotely poll for events.
-
Select Start >StartPrograms >Administrative Tools and then click Local Security Policy.
-
From the navigation menu, select Local Policies >User Rights Assignment.
-
Right-click Manage auditing and security log >Properties.
-
From the Local Security Setting tab, click Add User or Group to add your WinCollect user to the local security policy.
-
Log out of the Windows host and try to poll the remote host for Windows-based events that belong to your WinCollect log source.
If you cannot collect events for the WinCollect log source, verify that your group policy does not override your local policy. You can also verify that the local firewall settings on the Windows host allow remote event log management.
Windows Event Subscriptions for WinCollect Agents
To provide events to a single WinCollect agent, you can use Windows event subscriptions to forward events. When event subscriptions are configured, numerous Windows hosts can forward their events to JSA without needing administrator credentials.
- Forwarded Events
- Domain Controllers
- Supported Software Environments
- Troubleshooting Event Collection
- Configuring Microsoft Event Subscriptions
Forwarded Events
The events that are collected are defined by the configuration of the event subscription on the remote host that sends the events. WinCollect forwards all of the events that are sent by the subscription configuration, regardless of what event log check boxes are selected for the log source.
Windows event subscriptions, or forwarded events, are not considered local or remote, but are event listeners. The WinCollect Forwarded Events check box enables the WinCollect log source to identify Windows event subscriptions. The WinCollect agent displays only a single log source in the user interface, but this log source is listening and processing events for potentially hundreds of event subscriptions. One log source in the agent list is for all event subscriptions. The agent recognizes the event from the subscription, processes the content, and then sends the syslog event to JSA.
Forwarded events can be collected with the Forwarded Events check box only. An XPATH cannot be used.
Forwarded events are displayed as Windows Auth @ <hostname> or <FQDN> in the Log Activity tab. Conversely, locally or remotely collected events appear as Windows Auth @ IP address or hostname. When WinCollect processes a locally or remotely collected event, WinCollect includes an extra syslog header that identifies the event as a WinCollect event. Because the forwarded event is a pass-through or listener, the extra header is not included, and forwarded events appear like standard and don't include the WinCollect identifier.
WinCollect collects only those forwarded events that appear in the Windows Event Viewer.
Domain Controllers
If you have domain controllers, consider installing local WinCollect agents on the servers. Due to the potential number of generated events, use a local log source with the agent installed on the domain controller.
Supported Software Environments
Event subscriptions apply only to WinCollect agents and hosts that are configured on the following Windows operating systems:
-
Windows 8 (most recent)
-
Windows Server 2012 (most recent)
-
Windows 10 (most recent)
-
Windows Server 2016 (including Core)
-
Windows Server 2019 (including Core)
WinCollect is not supported on versions of Windows that have been moved to End Of Life by Microsoft. After software is beyond the Extended Support End Date the product might still function as expected, however, Juniper Networks will not make code or vulnerability fixes to resolve WinCollect issues for older operating systems. For example, Microsoft Windows Server 2003 R2 and Microsoft Windows XP are operating systems that are beyond the 'Extended Support End Date'. Any questions about this announcement can be discussed in the JSA Collecting Windows Events (WMI/ALE/WinCollect) forum. For more information, see https://support.microsoft.com/en-us/lifecycle/search (https://support.microsoft.com/en-us/lifecycle/search).
For more information about event subscriptions, see your Microsoft documentation or the Microsoft technical website (http://technet.microsoft.com/en-us/library/cc749183.aspx).
Troubleshooting Event Collection
Microsoft event subscriptions don't have an alert mechanism to indicate when an event source stopped sending. If a subscription fails between the two Windows systems, the subscription appears active, but the service that is responsible for the subscription can be in an error state. With WinCollect, the remotely polled or local log sources can time out when events are not received within 720 minutes (12 hours).
Configuring Microsoft Event Subscriptions
Configure Microsoft event subscriptions to forward events to a single WinCollect agent.
WinCollect supports event subscriptions with the following parameters:
Forwarded Events - The subscription must send the logs to the forwarded event channel. Selected in the Destination log list.
Subscriptions - The subscription configured to use
ContentFormat: RenderedText
and
Locale: en-US
Locale - Locale must be en_US
for the
Windows computer where WinCollect is installed.
If you are using domain controllers, consider installing local WinCollect agents on the servers. Due to the potential number of generated events, use a local log source with the agent that is installed on the domain controller.
-
Configure event subscriptions on your Windows hosts.
-
Configure a log source on the WinCollect agent that receives the events.
You must select the Local System check box and Forwarded Events check box for the WinCollect log source.
JSA Support does not support the creation or maintenance of Microsoft Subscriptions.