Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

SSIM - Customizing WMI query in a "Collector\Microsoft_Windows_Event_Collector_4.3.30_AllWin_EN"

Created: 25 Jan 2013 • Updated: 25 Jan 2013 | 7 comments
minfo's picture

Hi to all,

on a SSIM.

has anyone tryed to customize the "Collector\Microsoft_Windows_Event_Collector_4.3.30_AllWin_EN" WMI query?

I need to take only a subset of Security Event-ID data from Windows Servers.
So It is possible to save bandwith and avoid to take all events you don't need and to filter them after (in the Collector or in the Agent side).

Thank you

Best Regards

Marco

 

 

Comments 7 CommentsJump to latest comment

Avkash K's picture

Yes, you can have the collector level filters.

You can find the event filter option in the sensor configuration of any collecotor.

Simillarly, for Windows Event collector you can filter out specific Event ID's as collection level only.

So it can save your bandwidth & it will not forward that events to your SSIM only.

 

Hope that helps you!!

Regards,

Avkash K

minfo's picture

Hi Avkashk,
thank you for your answer.

But, I think that Sensor Filtering need a pre-parsing of every events (else the Sensor cannot discriminate on what filter or not) so it is very resource wasting.

 

The real problem is:

I have a Centralized SSIM Agent Offbox with his Windows Collector thar collects data from a REMOTE Server Windows.

Are you sure that I will save bandwith in the network between the Remote Server and the Agent Offbox (using Sensor Filtering)?.

Also, If a Sensor need only 1 specific event per hour (es: ID 528, success logon), from a server that produce for example 40eps (ALL Event viewer Security Events), isn't it better to make a WMI query filtering on the specific EVT_ID, so the filtering is on the answer of the Target Windows Source that in this case send via WMI only 1 event per hour and not 30 eps to the SSIM Sensor ?

 

thank you

Regards

Marco I

 

Milan_T's picture

Hi minfo,

 

You have windows user created on base win OS or AD ID is added to event log reader group and having some explicity permissions to fetch logs.

Now that user's encryped credentials has been applied on sensor with that target system's hostname / IP address etc.

Now while SSIM fetch this events SSIM send request to target location with user rights and fetches logs.

If you apply any filters in sensor configuration user will not read such filtered events and moves to next event.

Due to this mechanisum you can save bandwith in the network between the Remote Server and the Agent Offbox (using Sensor Filtering) also you will be able to reduce event correlation, EPS and hence CPU utilization of SSIM Correlation Box and storage space req.

antilles's picture

If you apply any filters in sensor configuration user will not read such filtered events and moves to next event.

No, it's not true.

Filters are applied after translation and normalization (after SES-Processor rules to be more precise), so collector collects ALL events available in windows event log.

Due to that, filters cannot help to save bandwith between remote monitored server and SSIM Agent with windows collector.

minfo's picture

Thank you guys for your answers.

@Antilles: please, can you suggest me if it possible to modify directly the WMI query in order to seek only for that events I need? 

 

antilles's picture

I think that WMI query is hardcoded in WindowsEventLog.jar or WindowsEventLog.dll.
XML files contains only sensor properties/configurations and translation rules.

minfo's picture

You are right Antilles but,

I hoped it was possible to open the java(?) file that contains the WMI query :-)