Configuring for auditing with Novell SecureLogin Collector differs for workstations in Active Directory environment and non-Active Directory environment. The configuration involves enable auditing for the target system and configuration appropriate accounts to be able to read Windows Event Logs remotely by Sentinel. Following are the high level configuration procedures for both the scenarios:
For detailed information, see the WMS Connector document at the Sentinel Connector and Collector Web site.
In a domain environment, a domain account must be created that has the policy right to access the Windows Security Event logs on the remote Event Sources. This domain account user must be recognized by the Event Sources either as a user within the domain, or a user within one of the groups referenced on the server.
Use the following procedure to enable basic Windows event logging for use with Windows Collectors. To collect data from a different application that writes to the Windows Event Log, refer to the documentation for the associated Collector. For details, see the Sentinel Connector and Collector Web site.
To configure the Sensor to report Events to Security Log:
Log on to Windows with an account that has Administrative rights.
Click
> > .In Control Panel window, double-click
.Double-click
; expand , then double-click . A list of policies displays.Double-click a specific audit policy to edit the security settings.
In Local Security Setting window, select
check boxes.Click
.From the
, click > > .In the Control Panel window, select
> > > > .Click
.From the
window, click the , then select the domain with the account to be used for collecting the security event log information.Double-click the account to be used, then click
.In the Local Security Policy Settings window, click
.The new policy setting takes effect after you restart the sysem.
NOTE:If domain-level policy settings are defined, they override local policy settings.
Log on to the remote computer; from the Task bar, click
> > .In the Control Panel window, double-click
> .In the Computer Management window, on the
tab expand ; right-click , then select .In WMI Control Properties window, select the
tab.Select the
folder, then click to open the Security for Root dialog.If the User or Group that needs the remote WMI access does not appear in the list, click
.From the Select Users, Computers, or Groups window, select the user or group that needs remote WMI access, then click
.After you finish selecting users or groups, click
.Select the newly added user or group and ensure that they have at least the following permissions depending on what type of Event log you want to access:
Execute Methods
Provider Write
Enable Account
Remote Enable
With the user or group still highlighted, click
to open the Access Control Settings for Root window.Select the group, then click
, to open the Permission Entry for Root dialog.From the
list, select .Click
on each dialog until you return to the Computer Management window.Restart the WMI service.
The procedure to configure domain account user COM/DCOM differs from based on the platform on the SecureLogin workstation. Refer the WMS Connector document at the Sentinel Connector and Collector Web site. for detailed configuration information.
In a non-domain environment, local accounts must be created on both the Collector Manager system and on the Event Source. These accounts must have same username and password.
Refer Configuring Events Logged by Windows Event Log in Section 18.3.1, Monitoring a System in a Domain Environment.
In a non-Active Directory environment you must create user account on each event source, that is, each workstation running Novell SecureLogin and Collector Manager machine that has the same username and passowrd.
On Collector Manager machine this user must be part of Administrator group.
Refer Configuring Users to Collect Windows Event Log Remotely in Section 18.3.1, Monitoring a System in a Domain Environment.
Refer Setting up the Windows Management Instrumentation Service in Section 18.3.1, Monitoring a System in a Domain Environment.
Refer Configuring Domain Account User COM/DCOM in Section 18.3.1, Monitoring a System in a Domain Environment.