Hello RSA Admins,
As most of you know, integrating the windows event source with RSA security analytics is not that easy “straight forward”, or it’s hard to do it from the first time without any error, that’s because the integration depends on the windows configuration in the first place, and the windows vary from an infrastructure to another, mainly the error you’ll get is WINRM errors, certificate issues and HTTPS listener creation problems.
In this article I will show a new integration methodology, and not the one that RSA shows in their docs.
I am going to do it completely from the certificate creation till the logs received in the RSA SA, in a few steps.
2- Select Local Computer and finish:
3- Under certificates- Personal, right click and select Request New Certificate…
4- Next, Next, and Select Web Server, and click on More information is required….
5- Under Subject tab, select for the Subject Name Type: Common Name, and in the Value: Type the event source FQDN, and select add.
6- Under General Tab, type the FQDN in the friendly name field.
7- Under Private Key tab, Key Options, select Make Private key exportable, and Allow private key to be archived, Apply -> OK -> Enroll.
8- View Certificate, and copy the Thumbprint.
9- Copy the winrmconfig.ps1 to the C: directory and run the following command on the PowerShell as administrator,
Command 1- Set-ExecutionPolicy Unrestricted à Y
Command 2- Powershell -File winrmconfig.ps1 -Action enable -ListenerType https -Port 5986 -User email@example.com -ThumbPrint ac4c1fa34a1285ffa41f6aa3b84f00cc79dd7ac6
Where: -Action enable: to enable the listener, -User: a domain user with normal privilege to run the service, -ThumbPrint: is the certificate thumbprint that we copy before.
And here is the magic happen 😉
10- Now go to RSA LogCollector, View, Config, Event Source tab.
Select Windows, and Kerberos Realm Configuration.
11- Add event source name to the KDC Host Name, not FQDN, and save.
12- Change to windows -config, and make sure that the Authorization Method set to Negotiate, and the user name is what we used in the script.
13- Now add a new Source, and test the connection 😉
14- Check out if the logs were received.
That’s All, Done 🙂
Amin Khalil is a Technology Expert Engineer and publisher at AzureDummies blog. He also hold many certificates in VMWARE, RSA Security, EMC and Dell.
Amin is currently working in Specialized Technical Services Company (STS).