RSAEvent Source Configuration Guide Microsoft Windows Eventing 6.

0 Web Services API

Last Modified: Wednesday, July 31, 2013 Event Source (Device) Product Information Vendor Event Source (Device) Supported Versions Additional Downloads
Microsoft Windows Windows Server 2008 R2, Windows Server 2008 and 2012
l

l l

RSA enVision Windows Eventing Deployment Overview Guide RSA_enVision_Windows_Eventing_ Collector_Service.exe v4.0SP3_WindowsEventing_ SharedMemory.exe RSA_enVision_winevent_config.vbs RSA_enVision_winevent_config.ps1

RSA Product Information 4.0 SP 3 and later Supported Version winevent_nic, 30 Event Source (Device) Type Windows 2008 Agentless Collector Collection method Host.Windows Event Source (Device) Class.Subclass

The Microsoft Windows Agentless Server event source works with the RSAenVision Windows Eventing Collector Service to collect messages from Windows Server 2008 and 2012 and send the message content to RSAenVision. This document contains the following information for the Microsoft Windows event source:
l l l l l l l l l

Benefits of the NICWindows Eventing Collector Related Documentation Audience Configuration Instructions Release Notes 20130731-180221 Release Notes 20130530-160915 Release Notes 20130501-153011 Release Notes 20110817-133744 Release Notes 20100902-144020

For details, see the RSA enVision Windows Eventing Collector Service Deployment Overview Guide .

Benefits of the NICWindows Eventing Collector

Microsoft has rewritten their Event Log service, to better focus on enterprise security. One of the key improvements is the ability to write XML-structured data to the event log, allowing the details of

Copyright 2012 EMC Corporation. All Rights Reserved.

RSAEvent Source

the events to be searched and filtered. Some of the advantages:

l l l

Abetter set of tools for discovering and resolving problems with mission-critical systems. Features that let support technicians collect events and traces from users' systems. Features that help your developers diagnose and fix bugs in deployed systems using traces sent by users.

To take advantage of this new API in Microsoft Windows Server 2008, RSAhas developed the NICWindows Eventing Collector.

Related Documentation
In addition to this document, the following information about the Windows Eventing Collector Service is available:
l

The RSA enVision Windows Eventing Collector Service Deployment Overview Guide provides information to help you plan and provision the Windows Eventing Collector Service within your networks and domains. The core enVision Help describes the installation and configuration of the Windows Eventing Collector Service.

Note: Before you install the Windows Eventing Collector Service, RSA strongly recommends that you read the RSA enVision Windows Eventing Collector Service Deployment Overview Guide .

Audience
The intended audience for these configuration instructions is Windows Administrators.

Microsoft Windows Eventing 6.0 Web Services API

RSAEvent Source

Microsoft Windows Agentless Server Configuration Instructions

Microsoft Windows Eventing 6.0 Web Services API

RSAEvent Source

You must install the Windows Eventing Collector Service. For details, see Configure Windows Event Sourcesin the enVision appliance Help. After you install the Windows Eventing Collector Service, perform the following tasks to configure Windows Server 2008: I. If you have Windows 2008 event sources that use non-English languages, you must download and install the English language packs for Windows 2008. Language packs are available as free downloads from Microsoft downloads site, http://www.microsoft.com/downloads. II. Create a User Account for the RSAenVision appliance III. Enable Windows Remote Management (WinRM) Enable Windows Remote Management Service (WinRM) on the Windows server to allow the Windows Eventing Collector Service to collect events. You can enable Windows Remote Management Service using a nonsecure connection (HTTP) or using a secure connection (HTTPS):
l l

Enable Windows Remote Management over HTTP Enable Windows Remote Management over HTTPS

You can automate many of the tasks described in this document. For example, you could use a Group Policy object (GPO) to execute a startup script or use a utility such as PSExec to run some of the commands on multiple event sources without having to manually log on to each one. After you configure your event sources, you must configure the Eventing Collector Service. For details, see Configure Windows Event Sourcesin the enVision appliance Help.

Microsoft Windows Eventing 6.0 Web Services API

RSAEvent Source

Enable Windows Remote Management over HTTP

If you want to use the RSA enVision appliance to collect events from multiple Windows servers, you can use a Group Policy object or manual methods to deploy remote management to your servers over HTTP. This section describes how to deploy WinRMover HTTP. It describes how to enable listeners on each event source from a central location and provides the following information:
l l l

An example of how to use a Group Policy object to enable listeners How to Use VB and PowerShell scripts to enable listeners Instructions on manually enabling listeners, which you can perform or script

Use any one of these procedures to enable Windows Remote Management over HTTP.

Use a Group Policy Object to Enable Windows Remote Management over HTTP
If you have a domain controller, you can use a Group Policy object to configure multiple Windows Server 2008 event sources. Note: The following instructions are general. For detailed steps, see the Microsoft documentation.
To configure unsecured communication using a Group Policy object:

1. To open the Group Policy Management Console on the domain controller, click Start > Administrative Tools >Group Policy Management, and, in the left-hand tree, browse to the Group Policy Objects folder for your domain. 2. Create a new Group Policy object, for example, enVision appliance Collection Policy.

Enable Windows Remote Management over HTTP

RSAEvent Source

3. To edit the new Group Policy object, follow these steps: a. Right-click the newly created Group Policy object, and click Edit.

b. Expand Computer Configuration >Policies > Administrative Templates > Windows Components, Windows Remote Management (WinRM), and click WinRMService .

Enable Windows Remote Management over HTTP

RSAEvent Source

c. In the right-hand pane, double-click Allow automatic configuration for listeners to open the Properties dialog box. Select Enabled, and, in both the IPv4 filters and IPv6 filters fields,type *.

d. Click Next Setting twice, and, in the Allow unencrypted traffic Properties dialog box, select Enabled.

Enable Windows Remote Management over HTTP

RSAEvent Source

e. Click OK. 4. To allow the WinRM service access to the Security log channel, follow these steps: Note: The WinRM service requires explicit access to read events from the Security log channel. Access to Windows log channels are controlled using Security Descriptor Definition Language (SDDL) strings. For the WinRM service to gain read access, you must append the string (A;;0x1;;;s-1-5-20) to the existing SDDL strings for the Security channel. a. Without closing the Group Policy Management Editor window, click Start > Run, and type cmd. b. To obtain the existing SDDL string from the domain controller, type:
wevtutil gl Security

c. Copy the channelAccess string into the clipboard.

Enable Windows Remote Management over HTTP

RSAEvent Source

d. In the Group Policy Management Editor, expand Computer Configuration > Policies > Administrative Templates > Windows Component. e. In the right-hand pane, double-click Event Log Service .

f. In the right-hand pane, expand Security in the left-hand pane, and double-click Log Access.

Enable Windows Remote Management over HTTP

RSAEvent Source

g. Select Enabled, and, in the Log Access field, paste the security SDDL string that you copied in step 4c, and append the following string: (A;;0x1;;;S-1-5-20) Note: By appending the string to the existing SDDL string, you gain read access to the Security log channel, and avoid overwriting your existing settings.

h. Click OK. 5. To create a new firewall rule, follow these steps: 10 Enable Windows Remote Management over HTTP

RSAEvent Source

Note: This procedure is an example for Windows Firewall. If your organization uses another firewall, see the vendor documentation or your security officer for instructions. a. Expand Computer Configuration > Policies >Windows Settings > Security Settings > Windows Firewall with Advanced Security.

b. Expand Windows Firewall with Advanced Security, right-click Inbound Rules, and select New Rule to open the New Inbound Rule Wizard.

Enable Windows Remote Management over HTTP

11

RSAEvent Source

c. Create a new firewall rule to allow WinRM traffic into event sources.

12

Enable Windows Remote Management over HTTP

RSAEvent Source

d. Select TCP, and, in the Specific local ports field, enter the port numbers, separated by commas, for which you want to add the firewall rule. By default, depending on the event source, the WinRM service uses the following ports to enable collection using Windows Eventing Collector Service:
l l l l

Windows Server 2008 over HTTP at port number 80 Windows Server 2008 over HTTPS at port number 443 Windows Server 2008 R2 over HTTP at port number 5985 Windows Server 2008 R2 over HTTPS at port number 5986

Note: Because your domain controller can manage Windows Server 2008 or Windows Server 2008 R2 hosts, the following figures show creation of a generic firewall rule that includes the ports 80, 443, 5985, and 5986. If your environment has no Windows Server 2008 R2 hosts, do not open the ports 5985 and 5986. Similarly, in an environment with no Windows Server 2008 hosts, do not open the ports 80 and 443.

e. Select Allow the connection.

Enable Windows Remote Management over HTTP

13

RSAEvent Source

f. On the Profile page, clear Public . You do not need to open the ports for the public domain.

14

Enable Windows Remote Management over HTTP

RSAEvent Source

Note: Specify an appropriate name for your firewall rule. g. Specify an appropriate name for your firewall rule.

h. Click Finish, and close the Group Policy Management Editor window. 6. To link the Group Policy object to the domain, follow these steps: a. Right-click the domain, and click Link an Existing GPO.

b. Select the Group Policy object that you created.

Enable Windows Remote Management over HTTP

15

RSAEvent Source

A window similar to the following figure opens.

7. To enable and update the policy for all the hosts from which you want to collect events, do one of the following:
l l

Run gpupdate on the individual event sources. Wait for the Group Policy update to happen automatically on the hosts.

Manually Enable Windows Remote Management over HTTP

You can configure the WinRM service on the event source in one of the following ways:
l l

Use a Script to Enable WinRM over HTTP Manually Enable WinRM over HTTP using Windows Commands

16

Enable Windows Remote Management over HTTP

RSAEvent Source

Note: To execute either of the scripts or the manual procedure, you must use an account with Administrator privileges.

Use a Script to Enable WinRM over HTTP

RSAprovides Visual Basic and Windows PowerShell scripts to configure Windows Remote Management over HTTP. These scripts run the manual steps in an automated manner. The scripts perform the following high-level tasks in the order given:
l l l l l

Enable Windows Remote Management Service Create WinRM listener ports for HTTP Create inbound firewall ports for HTTP Allow unencrypted communication, if using HTTP transport Set read access on the Security log channel

Note: The scripts are created for an environment that uses Windows Firewall. If your organization uses another firewall, edit the scripts as needed. Follow the appropriate procedure for your environment.
To configure WinRM over HTTPusing the VB Script:

1. Open a command prompt, and change directories to the directory where the VB script resides. 2. Run the following command:
cscript RSA_enVision_winevent_config.vbs http To configure WinRM over HTTPusing the PowerShell Script:

Note: Windows PowerShell is installed by default on Windows 2008 R2. For Windows 2008 Service Pack 2, you must install PowerShell 2.0. 1. Open the elevated PowerShell command prompt. 2. Type:
set-executionpolicy unrestricted -scope process

3. Change directories to the directory where the PowerShell script resides. 4. Type:
& '.\RSA_enVision_winevent_config.ps1'

and press ENTER. Note: If you receive a "Security Warning" message that prompts you to continue further, select Run once , and proceed with the script execution.

Enable Windows Remote Management over HTTP

17

RSAEvent Source

5. When prompted, press 1 to run the HTTP script. 6. When prompted, press Y, and press ENTER.

Manually Enable WinRM over HTTP Using Windows Commands

The VB and PowerShell scripts are examples. You can automate these manual steps in the scripting language of your choice.
To enable Windows Remote Management Service over HTTP:

1. On the Windows server, open a command prompt, and type:

winrm quickconfig

When prompted to make changes, press Y. Note: This built-in Windows command performs the following actions: 1. Starts the Window Remote Management Service 2. Creates a listener port for HTTP transport 3. Opens the firewall ports for HTTP transport If you are using a firewall other than Windows Firewall, you must open the firewall ports for HTTP manually. 2. To allow HTTP requests, change the default winrm setting for the AllowUnencrypted parameter, from false to true . Type:
winrm set winrm/config/service @{AllowUnencrypted="true"}

Note: This command allows the client to request unencrypted traffic. By default, the client requires encrypted network traffic. 3. To enable collection from the Security channel, do one of the following: Note: This step allows the service account read permission to the Security event log. If this permission is not set, the Windows Eventing Collector Service will not be able to collect events from the Security channel.
l

Add the NETWORK SERVICE local user account to the Event Log Readers group, and restart the Windows server. To enable read access to the Security event log, while avoiding overwriting any existing Security channel settings, follow these steps: Note: The WinRM service requires explicit access to read events from the Security log channel. Access to Windows log channels are controlled using Security Descriptor Definition Language (SDDL) strings. For the WinRM service to gain read access, you must append the string (A;;0x1;;;s-1-5-20) to the existing SDDL strings for the Security channel.

18

Enable Windows Remote Management over HTTP

RSAEvent Source

a. Open a command prompt, and type:

wevtutil gl security

b. Select and copy the existing SDDL string from the channelAccess parameter. The following figure shows an example.

c. Execute the command below by pasting the copied string from the above step, and appending with the string, (A;;0x1;;;S-1-5-20)
wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)

where existing-SDDL-string is the string that you copied in step b. The following figure shows an example.

Enable Windows Remote Management over HTTP

19

RSAEvent Source

Enable Windows Remote Management over HTTPS

If you want to use RSA enVision to monitor multiple Windows servers, you can use PSExec, PowerShell Remoting, or manual methods to deploy remote management to your servers over HTTPS. This section describes how to enable listeners on each event source from a central location. Before performing the tasks described in this section, make sure that you have already established an SSLconnection. If not, see the RSAenVision Windows Eventing Collector Service Deployment Overview Guide for details. The following procedures describe how to enable Windows Remote Management over HTTPS:
l

Automatically Enable Windows Remote Management over HTTPS: Describes how to enable WinRM once, from a central location, for all of your Windows 2008 Server event sources. RSAprovides scripting examples using PowerShell and VB. Manually Enable Windows Remote Management over HTTPS: Describes the steps that you must perform on each event source. You can run the commands as described or use them to create your own scripts.

Automatically Enable Windows Remote Management over HTTPS

To automatically enable Windows Remote Management over HTTPS, perform the following tasks: I. Provision an SSL Certificate II. Extract the thumbprint of the certificate III. Automatically configure WinRM over HTTPS

Provision an SSL Certificate

Before you can configure a WinRM listener to establish communication over HTTPS, you must provision an SSL certificate to the Windows Server 2008 from which you will collect events.
To provision an SSLcertificate:

Depending on whether you want to use a certification authority (CA) to issue the SSL certificate, do one of the following:
l

If you want to use a CA to issue the SSL certificate, follow these steps: 1. If you do not already have a CA, deploy a Microsoft Certification Authority within the domain in which the enVision Windows Eventing Collector Service is installed, or purchase a third-party certification authority tool, such as Verisign or Thales. 2. Use a central management tool, such as Microsoft Identity Lifecycle Manager (ILM), to issue an SSL certificate to the WinRM service running on each of the Windows servers from which the Windows Eventing Collector Service will collect events.

If you do not want to use a CA to issue the SSL certificate, create a self-signed certificate for the WinRM service running on the Windows server from which the Windows Eventing Collector Service will collect events.

20

Enable Windows Remote Management over HTTPS

RSAEvent Source

For details, see Chapter 7, SSL Connection to Windows Event Sources, in the RSA enVision Windows Eventing Collector Service Deployment Overview Guide .

Extract the Thumbprint of the Certificate

To configure WinRM over HTTPS, you need to have available the thumbprint of the certificate.
To extract the thumbprint of the certificate:

1. To install the Certificates Snap-in, follow these steps: a. On the event source, click Start > Run, type mmc , and click OK. b. Click File > Add/Remove Snap-in. c. Select Certificates, and click Add. d. Select Computer Account, and click Next. e. Select Local Computer , and click Finish. f. Click OK to return to the Console Root dialog box. g. Expand Certificates (Local Computer). 2. Expand Personal, and click Certificates. 3. Double-click the SSL certificate that you provisioned. 4. On the Details tab, in the list of fields, scroll down to Thumbprint, select the thumbprint, and copy the value.

Automatically Enable Windows Remote Management over HTTPS

Note: This section assumes that you have provisioned the SSLcertificate or certificates. RSAprovides Visual Basic and Windows PowerShell scripts to configure Windows Remote Management over HTTPS. These scripts help in running the manual steps in an automated manner. Following are the high level tasks carried out by the scripts: A. Enable WinRM service B. Create WinRM listener ports for HTTPS C. Create inbound firewall ports for HTTPS D. Sets read access on the Security log channel Note: The scripts are created for an environment using Windows Firewall. If your organization uses another firewall, edit the scripts accordingly.

Enable Windows Remote Management over HTTPS

21

RSAEvent Source

To automatically configure WinRM over HTTPSusing the VB Script:

1. Open a command prompt, and change directories to the directory where the VB script resides. 2. Type:
cscript RSA_enVision_winevent_config.vbshttpsCN "thumbprint"

where:
l l

CN is the common name of the certificate. thumbprint is the thumbprint of the corresponding certificate, wrapped in quotes. For information on how to extract the thumbprint of the certificate, see Extract the thumbprint of the certificate .

To automatically configure WinRM over HTTPSusing the PowerShell Script:

Note: Windows PowerShell is installed by default on Windows Server 2008 R2. For Windows Server 2008 Service Pack 2, you must install PowerShell 2.0. 1. Open the elevated PowerShell command prompt. 2. Type:
set-executionpolicy unrestricted -scope process

3. Change directories to the directory where the PowerShell script resides. 4. Type:
& '.\RSA_enVision_winevent_config.ps1'

and press ENTER. Note: If you receive a "Security Warning" message that prompts you to continue further, select Run once , and proceed with the script execution. 5. When prompted, press 2 to run the HTTPS script. 6. Depending on how many certificates the script finds, do one of the following:
l l

If one certificate is found, press Y, and press ENTER. If more than one certificate is found, press the number corresponding to the certificate with which to configure the HTTPS listener, and press ENTER.

Manually Enable Windows Remote Management over HTTPS

To enable Windows Remote Management over HTTPS, perform the following tasks: I. Configure Windows Remote Management over HTTPS II. Import the Root Certificate to RSA enVision. For information, see the appendices of the RSA enVision Windows Eventing Collector Service Deployment Overview Guide .

22

Enable Windows Remote Management over HTTPS

RSAEvent Source

Configure WinRM over HTTPS

You can manually enable WinRM or create a script that runs these commands.
To enable Windows Remote Management Service over HTTPS:

1. On the Windows server, open a command prompt, and type:

winrm quickconfig

When prompted to make changes, press Y. Note: This built-in Windows command performs the following actions: 1. Starts the Window Remote Management Service 2. Creates a listener port for HTTP transport 3. Opens the firewall ports for HTTP transport If you are using a firewall other than Windows Firewall, you must open the firewall ports for HTTP manually. 2. To enable collection from the Security channel, do one of the following: Note: This step allows the service account read permission to the Security event log. If this permission is not set, the Windows Eventing Collector Service will not be able to collect events from the Security channel.
l

Add the NETWORK SERVICE local user account to the Event Log Readers group, and restart the Windows server. To enable read access to the Security event log, while avoiding overwriting any existing Security channel settings, follow these steps: Note: The WinRM service requires explicit access to read events from the Security log channel. Access to Windows log channels are controlled using Security Descriptor Definition Language (SDDL) strings. For the WinRM service to gain read access, you must append the string (A;;0x1;;;s-1-5-20) to the existing SDDL strings for the Security channel. a. Open a command prompt, and type:
wevtutil gl security

b. Select and copy the existing SDDL string from the channelAccess parameter. The following figure shows an example.

Enable Windows Remote Management over HTTPS

23

RSAEvent Source

c. Execute the command below by pasting the copied string from the above step, and appending with the string, (A;;0x1;;;S-1-5-20)
wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)

where existing-SDDL-string is the string that you copied in step b. The following figure shows an example.

3. On the Windows server, follow these steps to enable event collection over a secure connection: a. Obtain an SSL certificate for the event source. Note: Keep the certificate thumbprint available, as you need it for the next step. b. On the event source, to create an HTTPS listener, to enable event collection over the Secure channel, open a command prompt, and type:
winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="hostname";CertificateThumbprint="thumbprint"}

24

Enable Windows Remote Management over HTTPS

RSAEvent Source

For information on how to extract the thumbprint of the certificate, see Extract the thumbprint of the certificate . Note: If you copy this command, be sure to paste it and run it as a single line. Also, if you copy the command, make sure that there is a space between HTTPS and @. c. Open the firewall port for the HTTPS transport by adding a new firewall Incoming rule that allows the WinRM ports. Follow these steps: i. Click Start > Administrative Tools to launch Server Manager. ii. Expand Server Manager > Configuration > Windows Firewall with Advanced Security > Inbound Rules. iii. Right-click on Inbound Rules, and select New Rule . iv. In the New Inbound Rule Wizard, select Port for the Rule Type , and click Next. v. On the Protocol and Ports page, ensure that TCP is selected, and in the Specific local ports field, enter the port number for WinRM over HTTPS. For example, the default ports are 443 on Windows Server 2008 hosts and 5986 on Windows Server 2008 R2 hosts. vi. On the Action page, click Next. vii. On the Profile page, click Next. viii. Specify a name for the rule, for example, Open ports for WinRM over HTTPS, and click Finish.

Enable Windows Remote Management over HTTPS

25

RSAEvent Source

Set Up a User Account for RSAenVision

RSA recommends that the user account that the Windows Eventing Collector Service uses to authenticate to the event source have only enough privileges to allow event collection. Perform the following tasks to set up a "least privileged" account: I. Create a non-Administrator user account for enVision II. Add the user account to the Event Log Readers local user group III. Assign privileges and enable remote access Note: This section describes one way to create the user account. However, you can automate this procedure. For more information, see your Microsoft Windows Server 2008 documentation.

Create a non-Administrator User Account for enVision

If your event source is a part of a Windows domain, you must create this user account on the domain controller. If the event sources are not part of any domain, you must create this user account on each of the individual event sources.
To create a non-administrator user account for enVision:

1. On the event source, click Start >Administrative Tools > Server Manager to open the Server Manager console. 2. Use Server Manager to create a new user account with the following parameters.
Field User name envision Full name Enter a full name for the user account. Enter a description of the user account, for Descrip- example, tion Account for remote collection of events in RSAenVision. RSArecommends using a random password generator such as PasswordSafe or http://strEnter a strong password, and select User cannot ongpasswordgenerator.com/ to Password change password and Password never expires. generate a strong password. After you have configured event collection, no one ever needs to enter the password manually. Description Enter a user name for the account, for example, Notes

26

Set Up a User Account for RSAenVision

RSAEvent Source

Add the User Account to the Event Log Readers Local User Group
This group is a special-purpose user group created for accounts that are permitted only to read the events generated on a Windows machine. Perform these steps on all of the event sources from which you will be collecting events.
To add the user account to the Event Log Readers local user group:

1. Click Start > Administrative Tools > Server Manager . 2. Click Configuration > Local Users and Groups > Groups. 3. Double-click the Event Log Readers group. 4. Click Add, and add the user account that you created for enVision. 5. Click OK twice, and close the Server Manager console. Provide the user name and password of this account when you are configuring the Windows Eventing Collector Service in enVision.

Assign Privileges and Enable Remote Access

Perform these steps on all of the event sources from which you will be collecting events.
To assign privileges and enable remote access:

1. Assign privileges to the user account as follows: a. Open a command prompt, and type:
winrm configsddl wmi

Note: On Windows Server 2008 SP2, type winrm configsddl. Do not use the wmi parameter.

Set Up a User Account for RSAenVision

27

RSAEvent Source

b. Grant Read permission to the user account.

2. Enable remote access to the Windows Management Infrastructure(WMI) resources Win32UTCTime and Win32_AccountSID, using the WMI Management console. Follow these steps: a. Open a command prompt, and type:
wmimgmt

b. In the Security tab, select CIMV2, and click Security. c. Add the user account to the list of groups and users.

28

Set Up a User Account for RSAenVision

RSAEvent Source

d. Grant the Enable Account and Remote Enable permissions to the user account.

Microsoft Windows Release Notes (20130731-180221) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20130530-160915) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20130501-153011) What's New in This Release

RSA has added support for Windows Server 2012.

Microsoft Windows Release Notes (20110817-133744)

Set Up a User Account for RSAenVision

29

RSAEvent Source

What's New in This Release

Customers using RSAenVision 4.1 must upgrade to the latest version of the Windows Eventing Collector Service. The updated version of the Collector Service runs on RSAenVision 4.0 and 4.1. Important: When installing the updated Collector Service, you are asked for the NIC_System password. This value must match the password that was used when you installed RSAenVision.

Microsoft Windows Release Notes (20100902-144020) What's New in This Release

RSA has added support for Windows 2008 Agentless collection for Microsoft Windows. Note: For Windows 2008 event sources that use non-English languages, you must download and install the English language packs for Windows 2008. Language packs are available as free downloads from Microsoft downloads site, http://www.microsoft.com/downloads. You can use the Windows Eventing Collector Service to collect events from event sources that use the Windows Eventing mechanism. The Windows Eventing Collector Service captures the events as well as the metadata of the events from the event channels. Using the Windows Eventing Collector Service, you can subscribe to specific events based on your requirements. Note: Before installing the Windows Eventing Collector Service, install the Event Source Updates of July 2010 or later.

Collection from Multiple Event Sources

A single instance of the Windows Eventing Collector Service can collect events from many event sources. RSAhas tested collection with 400 Windows event sources.

Support for Authenticated Event Retrieval

The Windows Eventing Collector Service can authenticate with the Windows event source using either the Negotiate or Basic method of authentication.

Support for Adaptive Polling

The Windows Eventing Collector Service can be configured to adapt its polling interval based on the number of events collected from the Windows event source.

Support for Bulk Addition of Event Sources

You can add multiple event sources at one time.

Dynamic Configuration Updates

The Windows Eventing Collector Service monitors the configuration changes and re-initializes itself as required. You do not have to restart the service after each configuration update.

30

Set Up a User Account for RSAenVision

RSAEvent Source

Known Issues
This section describes issues that remain unresolved in this release. Wherever a workaround or fix is available, it has been noted or referenced in detail.

The Windows Eventing Collector Service is not listed in the RSA enVision user interface
Tracking Number: ENV-33669 Problem: After you install the Windows Eventing Collector Service, the service is not listed on the Manage Services window (Overview > System Configuration > Services > Manage Services). You cannot manage the Windows Eventing Collector Service using the Manage Services window. Workaround: Use Microsoft Management Console to start and stop the service. Use the Configuration utility to change the configuration settings of the Windows Eventing Collector Service. For information about the Configuration utility, see the RSA enVision Help.

SSL Configuration Is Shared Between Services

Tracking Number: ENV-35388 Problem: The problem occurs on Windows Server 2008 event sources that have Internet Information Server (IIS) configured with SSL. When you run the automated VB script (to set up the HTTPS Listener Service), you receive the following error: HTTPS listener can't be created. Please check the certificate or the arguments you have provided or use the manual process for creating WinRM listener for HTTPS. When you run the manual WinRM command to set up the HTTPS Listener Service, you receive the following error: The WinRM client cannot process the request. The CertificateThumbprint property must be empty when the SSL configuration will be shared with another service. Workaround: Run the winrm command with the CertificateThumbprint parameter empty:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=hostname;CertificateThumbprint=""}

Set Up a User Account for RSAenVision

31