Windows Host Wizard
The Windows Host Wizard connects to Active Directory to find Windows systems on the domain. Eligible systems returned by the scan can be selected for remote log collection. Correctly defined permissions are essential to identify systems and collect logs.
The wizard can only scan domains that have the Include in Scan option selected in the domain properties under Windows Host Wizard. For more information, see Configure Initial Host Settings (Domain, Entity, and Log Source Types).
Requirements for Scanning
The Remote Registry service on Agent-less systems must be started for machines to be identified in the scan.
The user logged in to the machine where the scan is taking place must be a domain user on the domain being scanned or the scan will fail to run.
Requirements for Firewall Settings
If firewalls are used on systems in your network:
- To allow for remote log collection, an exception for port 443 must be added to the Windows Firewall settings on the Agent-less systems.
- The Client Console machine should also have an exception for port 443.
To allow the host machine to be identified, the Remote Admin exception must be added to the Windows Firewall settings on the Agent-less systems. If it does not appear in the list of Programs and Services within Windows firewall exceptions tab, add it from a command prompt by typing the following command:
CODEnetsh firewall set service remoteadmin enable
To confirm it is enabled, type the following:
CODEnetsh firewall show state
Requirements for Remote Collection
To collect logs remotely from another system, the collecting Agent’s service must be running under an account that is in the Event Log Readers group. For more information, refer to the LogRhythm Guide: Least-Privileged User.
Requirements for Security Event Logs
The user running the scan must have administrator privileges on the system that is running the Client Console and for the systems on the domain from which logs will be collected. This can be achieved by setting up local users with Administrator rights or by using users with domain administrator privileges.
Miscellaneous Requirements
Any other settings on the systems related to firewall, permissions, or security may impact scanning, identification, or collection of event logs.