Loading...

Knowledge Center


How to use Windows Event Forwarding (WEF) with the Windows Agent
Technical Articles ID:   KB77092
Last Modified:  11/16/2018
Rated:


Environment

McAfee SIEM Database Event Monitor (DBM) 10.0, 9.x
McAfee SIEM Enterprise Log Manager (ELM) 10.0, 9.x
McAfee SIEM Enterprise Security Manager (ESM) 10.0, 9.x
McAfee SIEM Event Receiver 10.0, 9.x

 

Summary

This article describes how to configure Windows Event Forwarding with SIEM with the Windows Agent.

Solution

Windows Event Forwarding (WEF) is a feature in Microsoft operating systems (introduced with Microsoft Vista) that you can configure to forward logs from one or many Event Source computers to a centralized Windows system (typically referred to as an Event Collector). The McAfee Event Collector has been designed to read those collated logs and send them to a Receiver.

NOTE: Vista is the minimum operating system required on either the Event Collector or the Event Sources.

To configure your environment:

  1. Configure the Event Source systems to forward events to the WEF Event Collector.
  2. Install the Agent on the WEF Event Collector.
  3. Add a single host, and for Host Name/IP, add the Event Collector IP address.
  4. Create a Configuration. Select Windows Event Log and name the configuration.
  5. Select Forward Event in the Windows Event area.
     
    NOTE: WEF can forward to logs other than Forwarded Events. Forwarded Events is the default. 
     
  6. At this point, you have two choices:
     
    • Select WEF - if you require the granularity of a data source-per-Event-Source, check the WEF box.
    • Do not select the WEF - if you have many Event Sources (for instance, Event Forwarding can be configured as part of a Domain group policy, and doing so can make it less obvious how many Event Sources are actually forwarding events), then having a data source for each Event Source might prove difficult. In this case, leave WEF deselected. This way, all events are collated under the Agent data source. 
       
  7. On the Receiver create a data source for the Event Collector. This is a necessary step to open the firewall on the Receiver to allow communication between the Agent and Receiver. The settings are as follows:
     
    • Vendor: Microsoft
    • Model: WMI Event Log
    • Data Retrieval: MEF
    • Name: DS Name
    • IP Address: IP of the system that has the agent installed
    • hostID: This is not needed on Collector 10, but it is mandatory on Collector 11. For further information regarding adding the hostID by hostname or FQDN (Full Qualified Domain Name) refer to KB86983.
    • Use Encryption: Match what the agent has marked
    NOTE: If you did not select the WEF option above, you do not have to do the next step. 

  8. If you did not select the WEF option above, you do not have to do this step. If you require a data source per Event Source, create data sources for each of the Windows systems that have the Agent installed and are forwarding events to that server. The settings are as follows:
     
    • Vendor: Microsoft
    • Model: WMI Event Log
    • Data Retrieval: MEF
    • Name: DS Name
    • IP Address: Do not use IP
    • hostID: Use the Host Name or FQDN of Windows system forwarding the logs. This is because the IP addresses of the Event Source systems are not in the forwarded events. The events only contain the host names or FQDN.
    • Use Encryption: Match what the agent has marked

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.