Skip to main content
Skip table of contents

Windows Host Wizard

The Windows Host Wizard connects to Active Directory to find Windows systems on the domain. Eligible systems returned by the scan can be selected for remote log collection. Correctly defined permissions are essential to identify systems and collect logs.

The wizard can only scan domains that have the Include in Scan option selected in the domain properties under Windows Host Wizard. For more information, see Configure Initial Host Settings (Domain, Entity, and Log Source Types).

Requirements for Scanning

The Remote Registry service on Agent-less systems must be started for machines to be identified in the scan.

The user logged in to the machine where the scan is taking place must be a domain user on the domain being scanned or the scan will fail to run.

Requirements for Firewall Settings

If firewalls are used on systems in your network:

  • To allow for remote log collection, an exception for port 443 must be added to the Windows Firewall settings on the Agent-less systems.
  • The Client Console machine should also have an exception for port 443.
  • To allow the host machine to be identified, the Remote Admin exception must be added to the Windows Firewall settings on the Agent-less systems. If it does not appear in the list of Programs and Services within Windows firewall exceptions tab, add it from a command prompt by typing the following command:

    netsh firewall set service remoteadmin enable

    To confirm it is enabled, type the following:

    netsh firewall show state

Requirements for Remote Collection

To collect logs remotely from another system, the collecting Agent’s service must be running under an account that is in the Event Log Readers group. For more information, refer to the LogRhythm Guide: Least-Privileged User.

Requirements for Security Event Logs

The user running the scan must have administrator privileges on the system that is running the Client Console and for the systems on the domain from which logs will be collected. This can be achieved by setting up local users with Administrator rights or by using users with domain administrator privileges.

Miscellaneous Requirements

Any other settings on the systems related to firewall, permissions, or security may impact scanning, identification, or collection of event logs.

Allowable Platforms for Remote Log Collection

The following is a table of the allowable combinations for collection setup. The table provides the following parameters:

  • Agent Operating System. Operating system of the machine where the agent is installed.
  • Log Message Source Host. Machine from which the MS Event Logs will be collected.
  • Log Message Source Type. Log Message Source Type selected for the Log Message Source Host.
  • Local Event Log Collection Allowed? Whether the agent can collect the Log Message Source locally.
  • Remote Event Log Collection Allowed? Whether the agent can collect the Log Message Source remotely.

Agent Operating SystemLog Message Source Host SystemLog Message Source TypeLocal Event Log Collection Allowed?Remote Event Log Collection Allowed?
XP/20032000MS Event Log for XP/2000/2003n/aYes
XP/2003XP/2003MS Event Log for XP/2000/2003YesYes
XP/20032008/VistaMS Windows Event Loggingn/aNo
XP/2003Win7/2008R2MS Windows Event Loggingn/aNo
XP/2003Win8/2012MS Windows Event Loggingn/aNo
20082000MS Event Log for XP/2000/2003n/aYes
2008XP/2003MS Event Log for XP/2000/2003n/aYes
20082008/VistaMS Windows Event LoggingYesYes
2008Win7/2008R2MS Windows Event Loggingn/aYes
2008Win8/2012MS Windows Event Loggingn/aYes
Win7/2008R22000MS Event Log for XP/2000/2003n/aYes
Win7/2008R2XP/2003MS Event Log for XP/2000/2003n/aYes
Win7/2008R22008/VistaMS Windows Event Loggingn/aYes
Win7/2008R2Win7/2008R2MS Windows Event LoggingYesYes
Win7/2008R2Win8/2012MS Windows Event Loggingn/aYes
Win8/20122000MS Event Log for XP/2000/2003n/aYes
Win8/2012XP/2003MS Event Log for XP/2000/2003n/aYes
Win8/20122008/VistaMS Windows Event Loggingn/aYes
Win8/2012Win7/2008R2MS Windows Event Loggingn/aYes
Win8/2012Win8/2012MS Windows Event LoggingYesYes
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.