The next few articles i`m looking to publish are regarding getting information from Microsoft Windows Hosts.
By this i mean getting MARS to process data pulled from the application, system and security event logs, whether from a server or workstation.
Information regarding pulling other logs from Windows servers, will follow in later articles.
Now we can use 2 methods to retrieve event logs from a Windows Host. Either we tell MARS to pull the events from the host or we configure the host to send the event data to the MARS appliance, but NOT both at the same time.
The decision on what method to use, depends on a few factors, namely whether to install an agent on the host, the desired load on the MARS appliance, and how near real-time we want the event data that MARS will process.
Some of the major differences....
A) Use an Agent (Pushes info to MARS via Syslog)1. Takes up Host CPU and Memory
2. More efficient in terms of resource utilization on the MARS Appliance itself
3. Agents allow real-time reporting of events (event by event)
4. Allows all Event Logs to be sent to MARS; however requires customer
parsing for logs other that Security Events & select MS Application events
5. A freeware version is available..
Snare (Intersect Alliance) - Support can be purchased
The SNARE application for example, (shown below) interfaces with the Windows event logging sub-system to read the logs, filter according to a set of administrator defined objectives, and then sends via syslog to MARS.
B) No Agent (Pull method via RPC)1. Less administration overhead.
2. Can be configured for Global Access to all devices with 1 AD Account.
3. Scheduled Access to Security Event Logs only (Not real-time), default is 5 minutes interval.
4. Allows you selectively choose what Security Events to be logged via Windows Security Policies - Audit Policies
5. Can restrict access to the device for MARS for the Security Events only via Windows AD Security Policies, does not require full admin access rights.
6. Operates in a single process on the MARS device, completing the pull from one device before moving to the next. As a result it may take much longer to cycle through all of the reporting devices as the number of devices grows.
C) No Agent (Push method via SNMP)1. Real time logging of event data
2. Allow all Event Logs to be sent to MARS
3. Requires Custom Parsing for MARS to understand log data, since in SNMP format
4. Lower Resource Impact than an Agent
Typically a Microsoft tool like
Evntcmd could be used, but there also Agent based systems for sending the Windows Event logs via SNMP.
One recommendation is to have all your windows devices report to a DC/PDC and pull or push the Domain Event logs from there, so you are effectively pulling the information from one machine, rather than several.
Using this model, you leverage windows security policies to dictate what is sent to the MARS appliance. This is more scalable in terms of Management and Configuration.
And finally in upcoming articles, i`ll show how what events we should be logging, and how we can run reports and create rules on this information.
Heres an error, that you may come across now and again, in a large MARS setup, with multiple users having access to the reporting console.
Posts
