Raw Windows Events from a Centralized Log Manager
Here is my situation:
We have a Qradar log manager. All of our Windows domain controllers are sending events to it via a QRadar agent. QRadar is able to forward raw windows event logs to our Symantec SSIM. My Symantec SSIM is receiving the logs, but the events are not normalized. Nothing is being correlated, just raw events that SSIM doesn't know what to do with.
Other than installing Snare for Windows Event Collector on every domain controller, how can I get these windows events to my SSIM from my centralized log manager in a way that it knows what do with them?