Information created by a team member- Dave Li--- all credit goes to him.
Please select the configuration type from the table below and follow the steps listed to configure your Vista/Windows2008 off-box Collector.
Collection Type | From Member Server using Basic Authentication and Local User Account | From Member Server using Kerberos Authentication and Domain User Account | From Domain Controller using Basic Authentication and Domain User Account | From Domain Controller using Kerberos Authentication and Domain User Account |
Steps in Order | 1 | 1 | 1 | 1 |
2 | 2 | 2 | 2 | |
3 | 3 | 3 | 3 | |
6 | 4 | 5 | 4 | |
7 | 5 | 7 | 5 | |
8 | 7 | 8 | 7 | |
9 | 8 | 9 | 8 | |
11 | 9 | 11 | 9 | |
12 | 10 | 12 | 10 | |
14 | 12 | 14 | 12 | |
15 | 14 | 15 | 13 | |
16 | 15 | 16 | 14 | |
| 16 |
| 15 | |
| 17 * |
| 16 | |
|
|
| 17 * | |
*: Only when above steps are not working as desired. | ||||
1. Make sure that all target servers and Collector machine have their time synchronized. And make sure that name resolution is working properly (either via DNS server or adding entries in hosts file)
2. Install the latest version of the SSIM Event Agent on the collector machine.
3. Install the MS Vista/2008 collector on the collector machine and run LiveUpdate during or after the installation process (It is very important to make sure you are using the newest version of the collector).
4. Disable Federal Information Processing Standard (FIPS) on the Agent (if you are using SSIM Event Agent 4.7.1 or later) by following this KB: http://www.symantec.com/docs/TECH158092 .
5. Create a Domain User account on the Domain Controller and set the password to not expire and disable the changing password feature. Add this Domain User Account to the local Event Log Readers group on the target Member Server. Or add this Domain User Account to Builtin\Event Log Readers group on the Domain Controller.
6. Create a local user account on the target server and set the password to not expire and disable the changing password feature. Add this account to Event Log Readers group on the target server.
7. Ensure that the Windows Firewall Service is running on the target server. After finish the configuration of WinRM you can turn off all Firewalls or disable the Windows Firewall Service.
8. Check if there are any existing WinRM listeners by running “winrm enumerate winrm/config/Listener”. If no result returned, create a new WinRM listener on the target server by running the command "winrm quickconfig" from a command prompt.
9. Configure the WinRM listener on the target server to permit the logs to be read using HTTP by running the command "winrm set winrm/config/service @{AllowUnencrypted="true"}" from a command prompt.
10. Configure the WinRM listener on the target server to use kerberos authentication by running the command "winrm set winrm/config/service/Auth @{Kerberos="true"}" and "winrm set winrm/config/service/Auth @{Basic="false"}" from a command prompt.
11. Configure the WinRM listener on the target server to use basic authentication by running the command "winrm set winrm/config/service/Auth @{Kerberos="false"}" and "winrm set winrm/config/service/Auth @{Basic="true"}" from a command prompt.
12. Check your WinRM configuration by running "winrm get winrm/config" from a command prompt. Review the Service section and all the settings you did through step 10 to 12 will be displayed here.
13. To allow the Network Service account to write the SPN entries on target server:
- On target server click on Start and go to Programs-> Administrative Tools and open the program ADSI Edit.
- In the menu of the ADSI Edit window click on Action and click "Connect to ...” which opens a window for the Connection Settings.
- In the ADSI Edit main window the Default naming context should show up now and when clicking on it the tree should be expandable.
- In the tree for the Active Directory Domain there should be an OU=Domain Controllers and in this Organizational Unit there should be a list of the Domain Controllers that exist in the domain.
- Right Click on the Domain Controller from which you want to collect Event Logs from and where the WinRM service is configured and running, and click on Properties.
- Go to Security and click on the Add button to add the Network service Account.
- After adding the Network Service account grants it permission to do a "Validated write to service principal name".
- Restart the WinRM service for the changes to take effect.
- Check the result by running setspn –L <hostname of the target server> on target server and you should see WSMAN/<hostname> and WSMAN/<hostname>.<fully qualified domain> is listed in the result.
14. Modify the security descriptor on the Windows Event Security Log on target server so that the "Network Service" has access to read the events from it:
- Run command "wevtutil gl security" from a command prompt, you will see something similar to the below screen shot.
- Use the Edit -> Mark command in the command prompt window to select the string after “channelAccess:”
- Run command "wevtutil sl security /ca:<string after “channelAccess”>(A;;0x1;;;NS)" from the command prompt (pasting the first portion of the string you copied above and adding the "(A;;0x1;;;NS)" portion to the end of the string, which is what permits the network service access to the security log). Press Enter.
- Run "wevtutil gl security" again from a command prompt and check the changes.
- If you need to collect other Logs, repeat this step for all types the logs, such as Application and/or System.
15. Configure the Windows Firewall on the target server to allow the WinRM service to be contacted via HTTP on port TCP 5985. This may not be required if you have the relevant Windows Firewall turned off, configure as required for your environment.
16. Log on to SSIM Client Console and Create a new MS Vista Collector configuration in the settings below:
- Monitored Host Name = server.domain.com (The FQDN of the target server you want to collect logs from.)
- Monitored Host Realm = domain.com (The name of the domain the target server belongs to. You can leave it blank if you are using Basic Authentication)
- Connection Port = 5985 (This is the HTTP port used by WinRM in Windows 2008 R2.)
- Connection Protocol = HTTP
- Monitored Host Account Name = The Domain or Local user account that you created earlier, do not prefix or append the domain name when specifying the account.
- Account Password = The password that you assigned to the account.
- Event Logs to Audit = As per your requirements (The collector can only retrieve the event logs of the Log Catalog you configured in step 15).
- Start Reading From = As per your requirements.
Save the sensor configuration and distribute to the agent, once this has been done you should start to see events from the agent in the SSIM console.
17. Configure the config.xml file for the collector to use specific encryption type:
- If there is a sensor has been configured, stop sensor by unchecking the checkbox besides the sensor name on SSIM Client Console, and click ‘Save’.
- Stop the Agent by running “<%Agent installation folder%>\agentmgmt.bat” and select option 10.
- Delete krb5.conf and krb5.properties located in “<%Agent installation folder%>\collectors\”
- Edit config.xml in “<%Agent installation folder%>\collectors\msvista\”
- Find<property name="props"> and add following property information:
<property name="props">
<props>
<prop key="EncryptionTypes">rc4-hmac</prop>
</props>
</property>
- Start the Agent by running “<%Agent installation folder%>\agentmgmt.bat”, and choose option 9
- Start the sensor by tick the check box of the sensor on SSIM console, and click ‘Save’.
- Verity the change by opening krb5.conf. The encryption type you chose will be contained.