The Windows Host Wizard connects to Active Directory to find Windows systems on the domain. Eligible systems returned by the scan can be selected for remote log collection. Correctly defined permissions are essential to identify systems and collect logs.
The wizard can only scan domains that have the Include in Scan option selected in the domain properties under Windows Host Wizard. For more information, see Configure Initial Host Settings (Domain, Entity, and Log Source Types).
Requirements for Scanning
The Remote Registry service on Agent-less systems must be started for machines to be identified in the scan.
The user logged in to the machine where the scan is taking place must be a domain user on the domain being scanned or the scan will fail to run.
Requirements for Firewall Settings
If firewalls are used on systems in your network:
- To allow for remote log collection, an exception for port 443 must be added to the Windows Firewall settings on the Agent-less systems.
- The Client Console machine should also have an exception for port 443.
To allow the host machine to be identified, the Remote Admin exception must be added to the Windows Firewall settings on the Agent-less systems. If it does not appear in the list of Programs and Services within Windows firewall exceptions tab, add it from a command prompt by typing the following command:CODE
netsh firewall set service remoteadmin enable
To confirm it is enabled, type the following:CODE
netsh firewall show state
Requirements for Remote Collection
To collect logs remotely from another system, the collecting Agent’s service must be running under an account that is in the Event Log Readers group. For more information, refer to the LogRhythm Guide: Least-Privileged User.
Requirements for Security Event Logs
The user running the scan must have administrator privileges on the system that is running the Client Console and for the systems on the domain from which logs will be collected. This can be achieved by setting up local users with Administrator rights or by using users with domain administrator privileges.
Any other settings on the systems related to firewall, permissions, or security may impact scanning, identification, or collection of event logs.
Allowable Platforms for Remote Log Collection
The following is a table of the allowable combinations for collection setup. The table provides the following parameters:
- Agent Operating System. Operating system of the machine where the agent is installed.
- Log Message Source Host. Machine from which the MS Event Logs will be collected.
- Log Message Source Type. Log Message Source Type selected for the Log Message Source Host.
- Local Event Log Collection Allowed? Whether the agent can collect the Log Message Source locally.
- Remote Event Log Collection Allowed? Whether the agent can collect the Log Message Source remotely.
|Agent Operating System||Log Message Source Host System||Log Message Source Type||Local Event Log Collection Allowed?||Remote Event Log Collection Allowed?|
|XP/2003||2000||MS Event Log for XP/2000/2003||n/a||Yes|
|XP/2003||XP/2003||MS Event Log for XP/2000/2003||Yes||Yes|
|XP/2003||2008/Vista||MS Windows Event Logging||n/a||No|
|XP/2003||Win7/2008R2||MS Windows Event Logging||n/a||No|
|XP/2003||Win8/2012||MS Windows Event Logging||n/a||No|
|2008||2000||MS Event Log for XP/2000/2003||n/a||Yes|
|2008||XP/2003||MS Event Log for XP/2000/2003||n/a||Yes|
|2008||2008/Vista||MS Windows Event Logging||Yes||Yes|
|2008||Win7/2008R2||MS Windows Event Logging||n/a||Yes|
|2008||Win8/2012||MS Windows Event Logging||n/a||Yes|
|Win7/2008R2||2000||MS Event Log for XP/2000/2003||n/a||Yes|
|Win7/2008R2||XP/2003||MS Event Log for XP/2000/2003||n/a||Yes|
|Win7/2008R2||2008/Vista||MS Windows Event Logging||n/a||Yes|
|Win7/2008R2||Win7/2008R2||MS Windows Event Logging||Yes||Yes|
|Win7/2008R2||Win8/2012||MS Windows Event Logging||n/a||Yes|
|Win8/2012||2000||MS Event Log for XP/2000/2003||n/a||Yes|
|Win8/2012||XP/2003||MS Event Log for XP/2000/2003||n/a||Yes|
|Win8/2012||2008/Vista||MS Windows Event Logging||n/a||Yes|
|Win8/2012||Win7/2008R2||MS Windows Event Logging||n/a||Yes|
|Win8/2012||Win8/2012||MS Windows Event Logging||Yes||Yes|