The configuration of auditing, with the SecureLogin Collector, differs for workstations in Active Directory environments and non-Active Directory environments. The configuration involves enabling audit for the target system and configuration of the appropriate accounts to access the Windows Event Logs remotely by Sentinel. For more information, see the WMS Connector (Sentinel Connector and Collector).
In a domain environment, a domain account must be created that has the policy rights to access the Windows Security Event logs on the remote Event Sources. This domain user account must be recognized by the Event Sources either as a user within the domain, or a user within one of the groups referenced on the server.
Use the following procedure to enable basic Windows event logging for use with Windows Collectors. To collect data from a different application that writes to the Windows Event Log, refer to the documentation for the associated Collector. See the Sentinel Connector and Collector website.
To configure the Sensor to report Events to Security Log:
Log on to Windows with an account that has Administrative rights.
Click Start > Settings > Control Panel.
In Control Panel window, double-click Administrative Tools.
Double-click Local Security Policy; expand Local Policies, then double-click Audit Policy.
Double-click a specific audit policy to edit the security settings.
In Local Security Setting window, select Success/Failure.
Click OK.
From the Event Source, click Start > Settings > Control Panel.
In the Control Panel window, select Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment > Manage auditing and security log.
Click Add.
In Select Users/Groups, click Look in field and select the domain with the account to be used for collecting the security event log information.
Double-click the account to be used, then click OK.
In the Local Security Policy Settings window, click OK.
The new policy setting takes effect after you restart the system.
NOTE:If domain-level policy settings are defined, they override local policy settings.
Log in to the remote computer and click Start > Settings > Control Panel.
In the Control Panel window, double-click Administrative Tools > Computer Management.
In the Computer Management window, on the Tree tab expand Services and Applications; right-click WMI Control, then select Properties.
In WMI Control Properties window, select the Security tab.
Select the Root folder, then click Security to open the Security for Root dialog.
If the User or Group that needs the remote WMI access does not appear in the list, click Add.
From the Select Users, Computers, or Groups window, select the user or group that needs remote WMI access, then click Add.
After you finish selecting users or groups, click OK.
Select the newly added user or group and ensure that they have at least the following permissions depending on what type of Event log you want to access:
Execute Methods
Provider Write
Enable Account
Remote Enable
With the user or group still highlighted, click Advanced.
Select the group, then click View/Edit, to open the Permission Entry for Root dialog.
From the Apply onto list, select This namespace and sub namespaces.
Click OK on each dialog until you return to the Computer Management window.
Restart the WMI service. See Starting and Stopping the WMI Service.
The procedure to configure domain account user COM/DCOM differs based on the platform on the SecureLogin workstation. See the WMS Connector document (Sentinel Connector and Collector).
In a non-domain environment, local accounts must be created on both the Collector Manager system and on the Event Source. These accounts must have the same username and password.
In a non-Active Directory environment, you must create a user account on each event source, that is, each workstation running SecureLogin. This same username and password must be configured on the Collector Manager machine. On Collector Manager machine, this user must be part of Administrator group. See Configuring Users to Collect Windows Event Log Remotely.
See Setting up the Windows Management Instrumentation Service.