The configuration of auditing, with the SecureLogin Collector, differs for workstations in Active Directory environments and non-Active Directory environments. The configuration involves enabling audit for the target system and configuration of the appropriate accounts to access the Windows Event Logs remotely by Sentinel. The following are the high level configuration procedures for both scenarios:
For detailed information, see the WMS Connector document at the Sentinel Connector and Collector Web site.
In a domain environment, a domain account must be created that has the policy rights to access the Windows Security Event logs on the remote Event Sources. This domain user account must be recognized by the Event Sources either as a user within the domain, or a user within one of the groups referenced on the server.
Use the following procedure to enable basic Windows event logging for use with Windows Collectors. To collect data from a different application that writes to the Windows Event Log, refer to the documentation for the associated Collector. For details, see the Sentinel Connector and Collector Web site.
To configure the Sensor to report Events to Security Log:
Log on to Windows with an account that has Administrative rights.
Click Start > Settings > Control Panel.
In Control Panel window, double-click Administrative Tools.
Double-click Local Security Policy; expand Local Policies, then double-click Audit Policy. A list of policies displays.
Double-click a specific audit policy to edit the security settings.
In Local Security Setting window, select Success/Failure check boxes.
Click OK.
From the Event Source, click Start > Settings > Control Panel.
In the Control Panel window, select Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment > Manage auditing and security log.
Click Add.
From the Select Users/Groups window, click the Look in field, then select the domain with the account to be used for collecting the security event log information.
Double-click the account to be used, then click OK.
In the Local Security Policy Settings window, click OK.
The new policy setting takes effect after you restart the system.
NOTE:If domain-level policy settings are defined, they override local policy settings.
Log on to the remote computer; from the Task bar, click Start > Settings > Control Panel.
In the Control Panel window, double-click Administrative Tools > Computer Management.
In the Computer Management window, on the Tree tab expand Services and Applications; right-click WMI Control, then select Properties.
In WMI Control Properties window, select the Security tab.
Select the Root folder, then click Security to open the Security for Root dialog.
If the User or Group that needs the remote WMI access does not appear in the list, click Add.
From the Select Users, Computers, or Groups window, select the user or group that needs remote WMI access, then click Add.
After you finish selecting users or groups, click OK.
Select the newly added user or group and ensure that they have at least the following permissions depending on what type of Event log you want to access:
Execute Methods
Provider Write
Enable Account
Remote Enable
With the user or group still highlighted, click Advanced to open the Access Control Settings for Root window.
Select the group, then click View/Edit, to open the Permission Entry for Root dialog.
From the Apply onto list, select This namespace and sub namespaces.
Click OK on each dialog until you return to the Computer Management window.
Restart the WMI service. For more information on starting the WMI service refer Starting and Stopping the WMI Service
The procedure to configure domain account user COM/DCOM differs from based on the platform on the SecureLogin workstation. Refer the WMS Connector document at the Sentinel Connector and Collector Web site. for detailed configuration information.
In a non-domain environment, local accounts must be created on both the Collector Manager system and on the Event Source. These accounts must have the same username and password.
Refer Configuring Events Logged by Windows Event Log in Monitoring a System in a Domain Environment.
In a non-Active Directory environment you must create a user account on each event source, that is, each workstation running SecureLogin. This same username and password must also be configured on the Collector Manager machine.
On Collector Manager machine this user must be part of Administrator group.
Refer Configuring Users to Collect Windows Event Log Remotely in Monitoring a System in a Domain Environment.
Refer Setting up the Windows Management Instrumentation Service in Monitoring a System in a Domain Environment.
Refer Configuring Domain Account User COM/DCOM in Monitoring a System in a Domain Environment.