Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
During a deployment, the first step is to configure the initial settings of the domains, entities, and log source types that will be used during scanning. The configuration is saved so the wizard does not need to be configured each time.
- On the main toolbar, click Deployment Manager.
On the Tools menu, click Administration, and then click Windows Host Wizard.
The Windows Host Wizard appears.
The first time the Windows Host Wizard opens, the Settings dialog box is automatically opened. On subsequent occasions, click Settings.
The Settings window appears with the Domains tab.
- From the context menu, select New to specify a new domain to include in the scans.
- Enter the New Domain Properties as directed.
- Domain Name. A required field.
- Organizational Unit. An optional field.
- User Name and Password. Can be used to provide alternate credentials. Otherwise, the login account will be used for authentication by Active Directory. These credentials only apply to Scan Domains. They are not used by Query Computers.
- Include in Scan. Check box selected by default.
- Default LogRhythm Entity. A required field.
- Scan Sub Units. An optional field. When checked, all OU units are recursively scanned for all OU units below the one specified in Organizational Unit.
- Include in Active Directory Synchronization. This check box is unavailable.
- Include in Active Directory Group Based Authorization. This check box is unavailable.
- Brief Description. An optional field.
To validate the domain using Active Directory and refresh the domain details, click the Details tab and click Validate.
- Click OK.
On the Domains tab, review the domains to be scanned and select or clear the check box in the Include In Scan column, if necessary. At least one domain must be selected to scan the domains for computers.
- Click OK.
- Click the Log Source Types tab.
Select the types of log sources to detect when scanning and querying hosts. To select or clear all log source types, right-click and select Check All or Uncheck All.
The Security, Sysmon, and System Legacy Windows Event log source types cannot be selected on this step. Those log source types can be added after the Windows Host Wizard scans in new hosts, if needed.
To modify the properties of an individual log source, highlight the log source, and then click Properties.
- Change the MPE Processing Mode and MPE Policy, if necessary.
To begin log collection at the beginning of the log, select Start Collection from the beginning of the log check box.
Batch editing of properties is not permitted.
- Click OK.