The configuration of auditing, with the SecureLogin Collector, differs for workstations in Active Directory environments and non-Active Directory environments. The configuration involves enabling audit for the target system and configuration of the appropriate accounts to access the Windows Event Logs remotely by Sentinel. The following are the high level configuration procedures for both scenarios:
For detailed information, see the WMS Connector document at the Sentinel Connector and Collector Web site.
In a domain environment, a domain account must be created that has the policy rights to access the Windows Security Event logs on the remote Event Sources. This domain user account must be recognized by the Event Sources either as a user within the domain, or a user within one of the groups referenced on the server.
Use the following procedure to enable basic Windows event logging for use with Windows Collectors. To collect data from a different application that writes to the Windows Event Log, refer to the documentation for the associated Collector. For details, see the Sentinel Connector and Collector Web site.
To configure the Sensor to report Events to Security Log:
Log on to Windows with an account that has Administrative rights.
Click
> > .In Control Panel window, double-click
.Double-click
; expand , then double-click . A list of policies displays.Double-click a specific audit policy to edit the security settings.
In Local Security Setting window, select
check boxes.Click
.From the
, click > > .In the Control Panel window, select
> > > > .Click
.From the
window, click the , then select the domain with the account to be used for collecting the security event log information.Double-click the account to be used, then click
.In the Local Security Policy Settings window, click
.The new policy setting takes effect after you restart the sysem.
NOTE:If domain-level policy settings are defined, they override local policy settings.
Log on to the remote computer; from the Task bar, click
> > .In the Control Panel window, double-click
> .In the Computer Management window, on the
tab expand ; right-click , then select .In WMI Control Properties window, select the
tab.Select the
folder, then click to open the Security for Root dialog.If the User or Group that needs the remote WMI access does not appear in the list, click
.From the Select Users, Computers, or Groups window, select the user or group that needs remote WMI access, then click
.After you finish selecting users or groups, click
.Select the newly added user or group and ensure that they have at least the following permissions depending on what type of Event log you want to access:
Execute Methods
Provider Write
Enable Account
Remote Enable
With the user or group still highlighted, click
to open the Access Control Settings for Root window.Select the group, then click
, to open the Permission Entry for Root dialog.From the
list, select .Click
on each dialog until you return to the Computer Management window.Restart the WMI service. For more information on starting the WMI service refer Starting and Stopping the WMI Service
The procedure to configure domain account user COM/DCOM differs from based on the platform on the SecureLogin workstation. Refer the WMS Connector document at the Sentinel Connector and Collector Web site. for detailed configuration information.
In a non-domain environment, local accounts must be created on both the Collector Manager system and on the Event Source. These accounts must have the same username and password.
Refer Configuring Events Logged by Windows Event Log in Section 20.3.1, Monitoring a System in a Domain Environment.
In a non-Active Directory environment you must create a user account on each event source, that is, each workstation running SecureLogin. This same username and password must also be configured on the Collector Manager machine.
On Collector Manager machine this user must be part of Administrator group.
Refer Configuring Users to Collect Windows Event Log Remotely in Section 20.3.1, Monitoring a System in a Domain Environment.
Refer Setting up the Windows Management Instrumentation Service in Section 20.3.1, Monitoring a System in a Domain Environment.
Refer Configuring Domain Account User COM/DCOM in Section 20.3.1, Monitoring a System in a Domain Environment.