Windows Host Wizard

The Windows Host Wizard connects to Active Directory to find Windows systems on the domain. Eligible systems returned by the scan can be selected for remote log collection. Correctly defined permissions are essential to identify systems and collect logs.

The wizard can only scan domains that have the Include in Scan option selected in the domain properties under Windows Host Wizard. For more information, see Configure Initial Host Settings (Domain, Entity, and Log Source Types).

Requirements for Scanning

The Remote Registry service on Agent-less systems must be started for machines to be identified in the scan.

The user logged in to the machine where the scan is taking place must be a domain user on the domain being scanned or the scan will fail to run.

Requirements for Firewall Settings

If firewalls are used on systems in your network:

• To allow for remote log collection, an exception for port 443 must be added to the Windows Firewall settings on the Agent-less systems.

• The Client Console machine should also have an exception for port 443.

• To allow the host machine to be identified, the Remote Admin exception must be added to the Windows Firewall settings on the Agent-less systems. If it does not appear in the list of Programs and Services within Windows firewall exceptions tab, add it from a command prompt by typing the following command:

  netsh firewall set service remoteadmin enable
  

  To confirm it is enabled, type the following:

  netsh firewall show state
  

  
  

Requirements for Remote Collection

To collect logs remotely from another system, the collecting Agent’s service must be running under an account that is in the Event Log Readers group. For more information, refer to the LogRhythm Guide: Least-Privileged User.

Requirements for Security Event Logs

The user running the scan must have administrator privileges on the system that is running the Client Console and for the systems on the domain from which logs will be collected. This can be achieved by setting up local users with Administrator rights or by using users with domain administrator privileges.

Miscellaneous Requirements

Any other settings on the systems related to firewall, permissions, or security may impact scanning, identification, or collection of event logs.

Allowable Platforms for Remote Log Collection

The following is a table of the allowable combinations for collection setup. The table provides the following parameters:

• Agent Operating System. Operating system of the machine where the agent is installed.

• Log Message Source Host. Machine from which the MS Event Logs will be collected.

• Log Message Source Type. Log Message Source Type selected for the Log Message Source Host.

• Local Event Log Collection Allowed? Whether the agent can collect the Log Message Source locally.

• Remote Event Log Collection Allowed? Whether the agent can collect the Log Message Source remotely.