Windows Event Log Collection
Windows System Monitors can collect logs remotely from other Windows hosts. The process is similar to collecting local logs, but it uses Windows authentication systems to gain access to the log files remotely across a network. The easiest way for you to add the appropriate records to LogRhythm is using the Windows Host Wizard. However, you may do it manually.
General Network Requirements
The LogRhythm Windows Agent can be configured to read Windows Event Log entries on remote Windows systems. The LogRhythm Agent resides on the monitoring system. The Windows Event Logs originate on the remote system.
For the LogRhythm Windows Agent to access the Windows Event Logs on the remote system, these conditions must be met:
- The monitoring system must reside in the same domain as the remote system, or reside in a domain that has a trust relationship with the domain where the remote system resides.
- These standard Windows ports must be open between the monitoring system and the remote system:
- TCP 135
- TCP 445
The default Dynamic Port Range is 49152–65535. These ports also need to be allowed on the remote machine. The Remote Event Log Management (RPC) Windows Firewall rule enables this dynamic range. It is not necessary to have all ports within this range open. Use your firewall to check which ports are being used. - These port settings are valid for Windows Vista and later, as well as Windows Server 2008 and later.
The remote system must be running the RPC and Remote Registry services.
To enable these services on the remote machine, go to Control Panel, click Administrative Tools, and then click Services. Start the Remote Procedure Call (RPC) and Remote Registry services. Set the Startup Type for both to Automatic.- A valid network route (path) must exist between the monitoring system and the remote system.
- The LogRhythm Windows Agent service must be running under a domain account that has sufficient permissions to access the remote Windows Event Logs. The following section provides details on setting up a domain account with the proper permissions.