Windows Audit

Overview

Event Manager utilizes the features of Windows Audit in order to provide information regarding Windows security events.

NOTE: The following section assumes an installation of Windows Server 2012. Screens and options may be different in later versions. Please refer to your Windows documentation or your systems administrator for more information.

Minimum Requirements

Event Manager Windows Template requires a minimum of Windows Server 2008 or higher.
Permission to remotely read the eventlog (see below).

Windows Event Log

The Event Log system service logs event messages that are generated by programs and by the Windows operating system. Event log reports contain information that you can use to diagnose problems. You view reports in Event Viewer. The Event Log service writes events that are sent to log files by programs, by services, and by the operating system. The events contain diagnostic information in addition to errors that are specific to the source program, the service, or the component.

Event Manager can retrieve these logs programmatically through the event log APIs which have the following requirements for accessing remote computers event logs:

IMPORTANT: Remote computer should be available and the appropriate Windows Firewall rules must be enabled in remote computer.

To enable these appropriate Windows Firewall rules on the remote computer, open the Windows Firewall with Advanced Security snap-in and enable the following inbound rules:

COM+ Network Access (DCOM-In)
All rules in the Remote Event Log Management group

These rules correspond to the following Protocol and ports.

Application rule	Protocol	Ports
COM+ Network Access (DCOM-In)	TCP	135
Remote Event Log Management (NP-In)	TCP	445
Remote Event Log Management (RPC)	TCP	RPC Dynamic Ports
Remote Event Log Management (RPC-EPMAP)	TCP	RPC Endpoint Mapper

NOTE: The RPC Dynamic ports range usually goes from 49152 to 65535, but it maybe different depending on the Windows version you are running. Use command "netsh int ipv4 show dynamicport tcp" to verify. RPC Endpoint Mapper dynamically assigns a port number to the client (in this case, Event Manager).

TIP: You can test these settings by using Event Viewer in an MMC snap-in from the Event Manager system, because it has the same requirements. Open Event Viewer and use option Connect to Another Computer... from the Action menu.

Additional Configuration

Configuration is required to be able to use the User Inactivity Datasource on Windows servers.

IMPORTANT: If you use this datasource for a Windows 2008 Server it is necessary to upgrade to a Powershell version 3 or greater in the remote Windows 2008 machine.

Windows systems

Validate access to administrative shares in the Remote Host

Administrative shares are a special feature of Windows NT servers that allow access to local drives as “hidden” shared resources by default, but they are limited only to administrative accounts. And for security policies, sometimes administrative shares are disabled.

The remote command execution actions need access to the ADMIN$ share, which represents the Windows installation path on the remote machine (by default it is C:\Windows). To check if the administrative share is enabled, try to log on to the remote admin folder from the Event Manager host using Windows Explorer.

Validate Remote Service Manager Access in the Remote Host

The Service Manager of the remote host needs to be accessed from the Event Manager host. To check if the remote Service Manager is accessible, just open your local service manager from the Event Manager host (you can do this by running the services.msc command), then right click on the services tree and select “connect to another computer”.

After entering the credentials, you should be able to see the services tree of the remote machine.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
Version: 6.9 | April 2024