SmartConnector Configuration Guide for

Microsoft Windows Event Log

March 25, 2008

SmartConnector Configuration Guide for Microsoft Windows Event Log March 25, 2008 Copyright 2003 2008 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks of their respective owners. Follow this link to see a complete statement of ArcSight's copyrights, trademarks and acknowledgements: http://www.arcsight.com/copyrightnotice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. This document is ArcSight Confidential.

Revision History
Date
03/25/2008 12/18/2007 11/12/2007 08/15/2007 07/09/2007 06/26/2007 04/15/2007 03/28/2007

Description
Updated installation procedure and added 64-bit support for Microsoft Windows Server 2003 SP1 64-bit. For Windows Domain Event Log, added 64-bit support for Windows Server 2003 Enterprise Edition SP2 and for Windows Server 2003 R2 Enterprise Edition SP2. For Windows Local Event Log, added 64-bit support for Windows Server 2003 Enterprise Edition SP2 and for Windows Server 2003 R2 Enterprise Edition SP2. Updated polling interval configuration information. Added new installation parameter for enabling auto polling interval adjustment. Added "Advanced Configuration" section. Added upgrade and rollback procedures as well as additional information regarding supported Windows versions. Added deployment information and restructured information. Added configuration information for enabling audit policies. Removed field mappings as they are more fully documented in ArcSight SmartConnector Mappings to Windows Security Events: An Addendum to the ArcSight SmartConnector for Windows Event Log Configuration Guide. Added installation parameter plus overall upgrade of information, including reference to new Windows Event Log Events document. Changed supported platforms Dropped support for Windows 2000. Added FAQs related to workgroup workaround and using local DLL.

10/31/2006 03/31/2006 03/03/2005 8/26/2004

Contents
Product Overview ...................................................................................................................................4 SID and GUID Translation ...................................................................................................................5 Configuring the Microsoft Windows Machine.............................................................................................5 Enabling Auditing Policies........................................................................................................................6 Setting Up an Audit Policy ...................................................................................................................6 Auditing a Local System ......................................................................................................................6 Auditing Within a Domain ....................................................................................................................8 Setting Up an Audit Policy for a Domain ...............................................................................................8 Deploying SmartConnectors for Microsoft Windows Event Log ...................................................................9 Technical Overview .............................................................................................................................9 Special Privilege Requirements........................................................................................................... 11 Testing for Account Privilege.......................................................................................................... 11 Bandwidth Requirements................................................................................................................... 11 User Configuration ............................................................................................................................ 12 SmartConnector Placement ............................................................................................................ 12 Pure LAN Environment................................................................................................................... 12 Multi-Datacenter Environment........................................................................................................ 13 Hub and Spoke Environment.......................................................................................................... 14 Configuration Recommendations........................................................................................................ 16 Polling Interval (ms) ...................................................................................................................... 16 Mode............................................................................................................................................ 17 Batch Query Buffer Size................................................................................................................. 17 Buffer Allocation............................................................................................................................ 18 Additional Configurable Parameters ................................................................................................ 18 Tuning Guidelines ............................................................................................................................. 19 Deployment Example ........................................................................................................................ 21 Advanced Configuration Options ............................................................................................................ 22 Changing the Polling Interval Auto Adjustment ................................................................................... 22 Enabling and Disabling SID Translation .............................................................................................. 22 Enabling and Disabling GUID Translation............................................................................................ 23 Configuration ....................................................................................................................................... 24 Configuring the SmartConnector ........................................................................................................ 24 Configuring Windows Connectors to Capture Print Events.................................................................... 25 Installing the SmartConnector ............................................................................................................... 25 ArcSight ESM Installation................................................................................................................... 25 SmartConnector Installation .............................................................................................................. 26 Uninstalling a SmartConnector ........................................................................................................... 28 Upgrading a SmartConnector............................................................................................................. 28 Troubleshooting ................................................................................................................................... 29

SmartConnector for Microsoft Windows Event Log

SmartConnector Configuration Guide for Microsoft Windows Event Log

This guide provides information for installing the SmartConnector for Microsoft Windows Domain Event Log and SmartConnector for Microsoft Windows Local Event Log (New) and configuring the device for event log collection. These SmartConnectors are supported for installation on: Windows Windows Windows Windows XP Professional Service Pack 2 Server 2003 Service Pack 1 32-bit and 64-bit Server 2003 Service Pack 2 32-bit and 64-bit Server 2003 R2 Service Pack 2 64-bit

The SmartConnector for Microsoft Windows Local Event Log (New) also provides Microsoft Windows Server 2003 Service Pack 1 64-bit support. The connectors can be configured to collect events from various other Windows versions including Windows 2000 regardless of the operating system the connector is running on. The operating system and service pack of the system where the connector is installed is significant because the SmartConnector for Microsoft Windows Event Log relies on a Windows API that has, in past versions, contained various bugs that significantly impact the performance of the connector. Microsoft has fixed the Windows API bugs in the service packs for the supported operating systems mentioned above.

Product Overview
System administrators use the Windows Event Log for troubleshooting errors. Each entry in the event log can have a severity of Error, Warning, Information. and Success or Failure audit. There are three default Windows Event Logs: Application log (tracks events that occur in a registered application) Security log (tracks security changes and possible breaches in security) System log (tracks system events)
Security events are not audited by default. Be sure to specify the type of system events to be audited (see "Enabling Auditing Policies" in this document).

The SmartConnector for Microsoft Windows Local Event Log (New) collects events from the Windows Event Log. The SmartConnector for Microsoft Windows Domain Event Log lets you collect Microsoft Windows Event Log events from multiple remote machines and forward them into the ArcSight system. Therefore, if you have multiple occurrences of the same application installed on different machines in one domain, install the SmartConnector for Microsoft Windows Domain Event Log on one of these machines. See ArcSight SmartConnector Mappings to Windows Security Events for the specific Windows Event Log events mapped to fields in the ArcSight database.

ArcSight Confidential

Configuration Guide

SID and GUID Translation

Security Identifier (SID) and Global Unique Identifier (GUID) translation is a feature added to the SmartConnector for Microsoft Windows Event Log earlier this year. Without translation, ArcSight users would see multiple ArcSight fields in SID/GUID format, which is not meaningful. For example, the source user name field could appear as "S-1-5-32-544." By performing an SID translation, "Administrator" is shown as the source user name rather than the meaningless value. This translation can help ArcSight users to identify security objects. SID is used within Windows NT and 2000 as a value to uniquely identify an object such as a user or a group. The SID assigned to a user becomes part of the access token, which is then attached to any action attempted or process executed by that user or group. GUID is a term used by Microsoft for a number that its software generates to create a unique identity for an entity such as a Word document. GUIDs are used widely in Microsoft products to identify interfaces, replica sets, records, and other objects. Different kinds of objects have different kinds of GUIDs; for instance, a Microsoft Access database uses a 16-byte field to establish a unique identifier for replication. See "Advanced Configuration" later in this document for steps to enable or disable SID and GUID translation.

Configuring the Microsoft Windows Machine

This section provides instructions for configuring the Microsoft Windows Event Log device to send events to the ArcSight SmartConnector. To configure the Windows machine: 1 2 3 4 5 6 7 Open the Event Viewer. In the Event Viewer, right-click Application Log and select Properties. In the Application Log Properties window, select the General tab. In the Log size section, select the Overwrite events as needed radio button. Click OK. Repeat steps 2 through 5 for the Security Log and System Log in the Event Viewer. Enable Security audit (by default, it is not enabled) if you want the SmartConnector for Microsoft Windows Event Log to get Security events from this machine. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy to enable security audit collection.

ArcSight Confidential

SmartConnector for Microsoft Windows Event Log

Enabling Auditing Policies

Because event information generated by Windows servers is based upon which auditing policies are enabled, you should ensure the appropriate auditing policies are enabled on those Windows servers from which ArcSight will be collecting information. By default, none of the Windows auditing features are turned on. Creating an effective audit policy is a fine balancing act between auditing enough events to be effective, but not so many events that the ones that really matter get lost. When planning which events to audit, keep in mind that auditing events consumes system resources such as memory, processing power, and disk space. The more events you audit, the more of these resources are consumed. Auditing an excessive number of events may dramatically slow down your servers.
You must be logged on as an administrator or a member of the Administrators group to set up audit policies. If your computer is connected to a network, network policy settings might also prevent you from setting up audit policies.

Setting Up an Audit Policy

The method used to create an audit policy varies slightly depending upon whether the policy is being created on a member server, a domain controller, or a stand-alone server. To configure a domain controller, member server, or workstation, use Active Directory Users and Computers. To configure a system that does not participate in a domain, use Local Security Settings.

Auditing a Local System

To establish an audit policy on a local system: 1 Select Start -> Control Panel -> Administrative Tools -> Local Security Policy.

ArcSight Confidential

Configuration Guide 2 3 Double-click on Local Policy in the Security Settings tree to expand it. Select Audit Policy from the tree. Doing so reveals the auditing information for that system.

To enable auditing for any of the areas, double-click on the type of audit; a dialog box such as the following is displayed, letting you choose to perform a Success or a Failure audit (or both) on that type of event.

To audit objects such as the Registry, printers, files, or folders, select the Object Access option. Otherwise, when you attempt to enable auditing for these objects, an error is displayed instructing you to make the necessary adjustments to the local audit policy (or, in the case of a domain environment, to the domain audit policy).

ArcSight Confidential

SmartConnector for Microsoft Windows Event Log Once you have enabled auditing, go through the system and fine-tune the type of events that will be audited in each category.

Auditing Within a Domain

To set up an audit policy for a domain controller: 1 Choose Start -> Programs -> Administrative Tools -> Active Directory Users and Computers. Navigate through the console tree to the domain you want to work with. Expand the domain. Beneath the domain, you will see a Computers object and a Domain Controllers object. Select the appropriate object for the your system and right-click on Domain Controllers. The Domain Controller's properties sheet is displayed. Select the Group Policy tab. Select the group policy to which you want to apply the audit policy and click Edit. Navigate through the tree to Default Domain Controllers Policy -> Computer Configuration -> Windows Settings -> Security Settings Local Policies -> Audit Policy. When you select Audit Policy, a list of audit events is displayed in the right pane. To audit a group of events, double-click on the group; a dialog box is displayed that lets you enable Success, Failure, or both audits for that group of events.

2 3

After enabling auditing for a group of events, fine-tune the exact events you want to audit.

Setting Up an Audit Policy for a Domain

To set up auditing for all computers under a domain: 1 2 3 4 Click Start -> Administrative Tools -> Domain Security Policy. Open Default Domain Security Settings. Expand Security Settings if it is not already open. Expand Local Policy and double-click on Audit Policy. A list of audit events is displayed in the right pane.

ArcSight Confidential

Configuration Guide

To audit a group of events, double-click on the group; a dialog box is displayed that lets you enable Success, Failure, or both audits for that group of events.

Deploying SmartConnectors for Microsoft Windows Event Log

The SmartConnector for Microsoft Windows Event Log collects events from Microsoft Windows-based computers throughout a domain. This section is intended to provide a deployment strategy that offers the most efficient collection of Microsoft Windows Event Log events for your environment. Technical details about the functions of the SmartConnector, as well as deployment considerations, best practices, and tuning recommendations also are provided.

Technical Overview
The SmartConnector for Microsoft Windows Domain Event Log uses a Microsoft API to collect events from remote servers. The SmartConnector follows this process for each Windows machine from which it collects events: 1 2 Verifies registry access to the remote machine through the Remote Registry Service. Enumerates applications that write to the Event Log; searches the registry for Event Log DLLs used to decode Event Log events. Checks the registry to identify the system drive and system root path. Uses Microsoft API to retrieve binary events from the remote Event Log. Decodes binary events to readable ASCII text.

3 4 5

ArcSight Confidential

SmartConnector for Microsoft Windows Event Log a Retrieves and loads the Event Log DLL for the specific event (DLLs are cached once they have been loaded). Decodes and parses the event.

b 6

If events contain SIDs or GUIDs, sends event to queue for translation. a b Translates SIDs/GUIDs. Stores translated SID/GUID for future reference.

Forwards events to the ArcSight ESM Manager.

The first three steps in the process require registry access through the Remote Registry Service of the Windows machine from which the SmartConnector is collecting events. Each of these steps is performed only when the SmartConnector initiates a connection to the remote machine. See "Testing for Account Privilege" in "Configuring the SmartConnector" to determine whether you have appropriate permissions to let the SmartConnector access the registry remotely. The fourth step occurs repeatedly, based upon a configurable interval, to get a continuous stream of events. The fifth step (decoding binary events) is critical if Windows Event Log events are to be displayed with any meaningful information within ArcSight ESM. Each application that writes events to the Windows Event Log registers a DLL with the operating system, allowing the Windows Event Log to decode and display the event. Even the Windows Security Events have DLLs that provide decoding information. For the SmartConnector to decode Event Log events, it must be able to load the application-specific Event Log DLL. The Event Log DLLs are found by enumerating the following registry keys to locate the EventMessageFile, CategoryMessageFile, and ParameterMessageFile for each application: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<Eventlog_T ype>\<Event_Source> where <Eventlog_Type> is Application, System, or Security and <Event_Source> is the application or service that generates the event. The sixth step is useful for bringing additional information into the Windows Event Log events. In some cases, an event can be stored with an SID or GUID that uniquely identifies a user or active directory object within a Windows domain. These IDs are long alpha-numeric strings that are not very useful for event analysis. The SmartConnector attempts to translate these IDs into a username or active directory object name in an effort to make the events more meaningful for security analysts. The seventh step employs the same mechanism used by all other ArcSight SmartConnectors to forward the events to the ArcSight ESM Manager.

10

ArcSight Confidential

Configuration Guide

Special Privilege Requirements

As mentioned in "Technical Background," it is critical for the SmartConnector to have access to the administrative share of the system drive on the Windows machine from which it is collecting Event Log events. By accessing this share, the SmartConnector finds the DLL file in the system root directory that is needed for decoding application specific events from the System Log and Application Log. If the Windows operating system is installed on the C: drive of a host called Cupertino-DC01, the SmartConnector will access the DLL files using the \\Cupertino-DC01\C$ share. Of course, connecting to the C$ share requires the SmartConnector to authenticate with a user that has at least local administrative privileges on the Windows machine from which it is collecting events. If collecting System Log and Application Log events is not a requirement, the SmartConnector can be configured to use any domain user, as long as that user has been given remote registry access and Event Log access on the Windows machine from which the SmartConnector is collecting events. The SmartConnector can process Security Log events without any administrative privileges because only the operating system writes to the Security Log. This means that the DLL needed to decode Security Log events is present on every Windows machine, including the server on which the SmartConnector is installed.

Testing for Account Privilege

To test whether your current user account has adequate privilege for collecting events, open the command prompt on the SmartConnector machine and issue the following command: cacls \\Target_NT_IP\c$\windows\system32\msaudite.dll

Bandwidth Requirements
The SmartConnector for Microsoft Windows Domain Event Log has fairly intensive bandwidth requirements. The Microsoft API employed by the SmartConnector does not compress data for transit and Event Log events as large as 2,000 bytes per event. The ArcSight Development Team observed an average event size of about 500 bytes during internal testing, but this may vary depending upon the types of events that occur in an environment. Based upon the estimated average event size, you can estimate the amount of bandwidth that will be consumed by the collection of Event Log events from a single server. For a server that generates an average of 100 events per second, the data transfer will consume an estimated average of about 400 kilobits per second of bandwidth, not including packet data overhead such as SMB headers, TCP headers, and so on. Collecting events from such a server potentially could consume nearly one third of the bandwidth on a typical T1 WAN connection. Review the "Best Practices" section of this guide for recommendations related to SmartConnector deployment in a bandwidth restricted environment.

ArcSight Confidential

11

SmartConnector for Microsoft Windows Event Log

User Configuration
The easiest option is to configure the SmartConnector with a user that has domain administrative privileges, but this may not be feasible in some organizations. The next best option is to configure the SmartConnector with a regular domain user and grant the domain user local administrative privileges on each of the Windows machines from which the SmartConnector will be collecting events. Finally, if neither of these options is feasible, the SmartConnector can be configured with a regular domain user with the use local dll parameter on the SmartConnector enabled to collect Security Log events from remote Windows machines.

SmartConnector Placement
Be sure to consider your environment's network topology when deploying this SmartConnector. As previously mentioned, the SmartConnector's performance is heavily affected by available bandwidth. There are several options available for placement of the SmartConnector: Pure LAN, Multi-Datacenter, and Hub-and-Spoke.

Pure LAN Environment

In a LAN, the SmartConnector should have ample bandwidth to keep up with the event throughput of the servers from which it is collecting events. For a pure LAN environment, plan for at least one SmartConnector per 35 servers. The number of servers from which a single SmartConnector can collect events is ultimately determined by the event rate and the bandwidth available for each server from which the SmartConnector is collecting events. In a LAN environment, you can expect the SmartConnector to sustain an average event rate of about 250 to 300 events per second.

12

ArcSight Confidential

Configuration Guide

Multi-Datacenter Environment
In a multi-datacenter environment, you can have multiple domain controllers in each datacenter from which to collect events. In such an environment, ArcSight recommends that a SmartConnector be deployed at each datacenter. In this configuration, event collection occurs over the LAN, allowing more efficient data transfer over the lower bandwidth WAN links due to ArcSight's compressed data transport method.

ArcSight Confidential

13

SmartConnector for Microsoft Windows Event Log

Hub and Spoke Environment

In a large hub and spoke environment, it is usually not realistic to deploy a SmartConnector at every remote site. In this environment, install one or more SmartConnectors at the "hub" network to collect events from each of the remote sites.

The SmartConnector's performance in this environment relies heavily upon the bandwidth available to the remote sites. For low bandwidth links, ArcSight recommends not exceeding ten to fifteen servers per SmartConnector, depending upon the event rate of each server. See "Tuning Guidelines" for instructions about finding optimum settings for your environment. In general terms, ArcSight recommends grouping servers per SmartConnector based upon the remote servers' characteristics, such as available bandwidth and event rate. See the following example. Example: A-Company, Inc. has 25 remote sites with two domain controllers at each site, and a main office with four domain controllers connected to the LAN. The four domain controllers at the main office each generate about 10,000 events per hour, or roughly 3 events per second. Ten of the remote sites have a dedicated T1 connecting back to the main office. Each of the servers at these ten sites averages about 2000 events per hour, or roughly one event every two seconds. The remaining 15 sites connect to the main office through frame relay connections with a 512 Kbps committed information rate and average about 500 events per hour, or roughly one event every ten seconds. In this example, some of the remote sites may require different SmartConnector configurations to optimize bandwidth usage. Grouping all of these servers together on a single SmartConnector may be the easiest installation method, but will likely lead to excessive bandwidth usage over the low bandwidth links. If you were to optimize the SmartConnector for the low bandwidth links, the performance would suffer for the higher bandwidth, higher event rate sites. In this case, it makes sense to have more than one SmartConnector installation, whereby the servers at the remote sites are grouped based upon the bandwidth and event rate characteristics. Using this deployment method lets you optimize one

14

ArcSight Confidential

Configuration Guide SmartConnector for low bandwidth, low event rate sites, while the other SmartConnectors are configured to provide higher performance. Note that you will not be able to effectively collect events from a high event rate server over a low bandwidth link. In a scenario like this, the SmartConnector will continually fall behind the real-time events and the bandwidth of the link will likely be saturated by all of the Windows Event Log traffic. See the following diagram for an illustration of this example.

ArcSight Confidential

15

SmartConnector for Microsoft Windows Event Log

Configuration Recommendations
During the installation of the SmartConnector for Microsoft Windows Domain Event Log, you have several configuration options that let you tune the SmartConnector for your environment. The default parameters are optimal for a typical LAN installation, but if your environment is more complex, you may need to adjust some of these parameters. This section provides an explanation for the parameters and offers some recommendations to help you with your installation. Keep in mind that these recommended settings may require further fine tuning to find the best setting for your environment. The following parameters are available during the SmartConnector for Microsoft Windows Domain Event Log installation. Polling Interval (ms) Domain Name Domain User Domain User Password Mode Batch Query Buffer Size Batch Query Buffer Allocation Enable Auto polling interval

Polling Interval (ms)

This value (in milliseconds) specifies how frequently the SmartConnector is to query a server for new events. If the value for the polling interval is set too high, the SmartConnector adjusts the value automatically by decreasing it by half until settling upon an interval that lets the SmartConnector keep up with the flow of new events. The default setting is appropriate for LAN applications; however, you can increase the value to as high as 10000 milliseconds for low bandwidth, low event rate servers. Be sure to consider the event rate of your servers to avoid setting this parameter too high. If the SmartConnector is to collect 100 new events each time it queries the server, it can fall behind the realtime events (especially over low bandwidth networks), forcing the SmartConnector to automatically adjust the interval.
You can choose to disable auto polling interval adjustment during SmartConnector installation by selecting False for the Enable auto polling interval option.

Recommended Setting: High Bandwidth/High Event Rate - 200 Medium Bandwidth/Medium Event Rate - 500-1000 Low Bandwidth/Low Event Rate - 2000+

16

ArcSight Confidential

Configuration Guide

Mode
Single Process or Multi-Process mode refers to the number of ntcollector.exe processes to be executed by the SmartConnector. The ntcollector.exe process is the process the SmartConnector uses to interface with the Microsoft API. In most cases, Single Process mode is ideal; however, if you must collect events from servers with varying event rate and bandwidth characteristics, using Multi-Process mode can help ease the burden on the SmartConnector by spreading the API calls across multiple processes. If one of the processes has to be restarted due to an unresponsive server, the other processes continue operating without interference. Recommended Setting: High Bandwidth/High Event Rate - Single Process mode Low Bandwidth/Low Event Rate - Multi-Process mode

Batch Query Buffer Size

This parameter specifies the amount of buffer to be allocated by the remote server when sending events back to the SmartConnector. The default buffer size of eight kilobytes is ideal for high event rate servers communicating with the SmartConnector over a LAN. ArcSight uses a buffer to enhance the performance of the SmartConnector by allowing remote servers to send large batches of events at one time. The buffer size essentially instructs the remote server to send as many events as it can fit into the eight kilobyte buffer. The drawback to this approach is that the remote server allocates the buffer whether or not it has events to send. If an eight kilobyte buffer is allocated, and the server only has 500 bytes of events to send, the server sends the 500 bytes of event data along with 7.5 kilobytes of padding to fill the buffer. This behavior causes buffering to be very inefficient on low bandwidth networks, which is why this parameter is configurable. ArcSight recommends setting this parameter to the lowest configurable value of 512 bytes for low bandwidth networks. Of course, using such a small buffer will have a performance impact on servers with high event rates. Recommended Setting: High Bandwidth/High Event Rate - 8192 Medium Bandwidth/Medium Event Rate - 2048 Low Bandwidth/Low Event Rate 512

ArcSight Confidential

17

SmartConnector for Microsoft Windows Event Log

Buffer Allocation
There is also a new configurable parameter available in the SmartConnector Configuration Wizard worth mentioning. This parameter is Buffer Allocation; the available options are Minimize and Maximize. You can use this parameter to regulate how the SmartConnector uses dynamic buffer allocation. The Maximize option lets the SmartConnector allocate a buffer size best suited for performance. If the configured "Batch Query Buffer Size" is too small to retrieve a batch of events, the SmartConnector automatically increases the buffer size and continues to use the increased buffer size rather than the configured buffer size. The Minimize option lets the SmartConnector allocate a buffer size best suited for bandwidth conservation. In this case, if the configured "Batch Query Buffer Size" is too small to retrieve a batch of events, the SmartConnector automatically increases the buffer size to get the current event. The SmartConnector reverts back to the configured buffer size for subsequent batches of events.

Recommended Setting: High Bandwidth/High Event Rate - Maximize Medium Bandwidth/Medium Event Rate - Minimize Low Bandwidth/Low Event Rate Minimize

Additional Configurable Parameters

The SmartConnector for Microsoft Windows Domain Event Log has a number of configurable internal parameters in addition to the parameters previously discussed. This guide focuses on internal parameters related to SmartConnector performance and user privileges. Do not modify any other parameters unless directed to do so by ArcSight Customer Support. To modify internal parameters, run the Connector Configuration Tool by executing arcsight connectorsetup from the SmartConnector's bin directory and selecting No when prompted to launch wizard mode. When the tool starts, click on the Options menu and check the "Show Internal Parameters" checkbox.

18

ArcSight Confidential

Configuration Guide Click on the nt_collector object in the left window pane to display the configuration options in the right window pane. When collecting Security events only using a user without administrative privileges, enable the Use Local DLL option to ensure that the security events are decoded properly.

For installations using Multi-Process mode, you may want to adjust the maxprocesses parameter. One process can collect events from multiple servers. For example, if you have 20 servers, you can use four processes, allowing for one process per five servers.

The threadtimeout parameter tells the SmartConnector how long to wait for new events before the process is considered stale. Once a process is determined to be stale, the SmartConnector attempts to kill it and spawn a new process. The default timeout is 600000 milliseconds, or ten minutes.

Tuning Guidelines
The first step in tuning the SmartConnector for Microsoft Windows Domain Event Log is to get a rough estimate of the events-per-second your servers are generating. In most cases, you can determine immediately which servers are busiest. Create a text file with the names of all of these servers. Next, group together all of the servers that generate lower event rates and add these servers to the file under a different heading. Consider having three groups, one for servers that generate 75+ events per second, another group for servers that generate 20-75 events per second, and a third group for servers that generate 1-20 events per second. If these values do not reflect your environment or if you have questions about the most appropriate approach for your situation, open a case with ArcSight Customer Support for further assistance. Next, check the event rates of all of these servers by taking the event count for a period of time and estimating the events per second. You should repeat this process at three different times throughout the day and then use the highest value. To estimate the event rate for a given server: 1 2 Open the Windows Event Viewer on the server from which you will be collecting events. Click on the Security log and note the number of events in the log (displayed directly above the header of the events). Note the time on the newest event and scroll down to the end of the log to note the time of the last event in the log. Round out to the nearest hour and calculate the number of hours between the time of the oldest event and the newest event in the log. Then convert the hours to minutes, adding the remaining minutes from the difference. For example, if the timestamp on the last event is 2:40 PM and the timestamp on the newest event is 9:00 PM, the difference in hours would be six (rounding 2:40 up to 3:00 and then subtracting three from nine), converting to 180 minutes. Then add the remaining 20 minutes to get a total of 200 minutes. Convert the minutes to seconds by multiplying 60. 200 minutes times 60 seconds converts to 12000 seconds.

ArcSight Confidential

19

SmartConnector for Microsoft Windows Event Log Take the number of events in the log and divide by the number of seconds to get the estimated events per second. If there were 42,000 events in the log from 2:40 PM to 9:00 PM, the event rate for this log would be 3.5 events per second (42000 divided by 12000). Be sure to repeat this process for each log (Security, System and Application) that you plan to collect events from and then add the event rates together. After the event rate is calculated for a given server, make a note of it next to the server name in the text file you already started. Once the event rate has been calculated for all of your servers, review the text file and make sure that the servers are grouped appropriately. 3 Verify that the SmartConnector will be able to keep up with the event rate of the servers from which it is collecting. If the SmartConnector cannot do so, it is most likely due to bandwidth constraints. If you are trying to collect 500 kilobits per second of events over a heavily utilized T1, the SmartConnector may have a difficult time keeping up. You can test the event throughput available to the SmartConnector by running the arcsight ntcollectordiag utility from the bin directory of the SmartConnector installation. The command is executed as follows: arcsight agent ntcollectordiag -domain <domain_name> -user <user_name> password <user_password> -configfile <config_file_path_name> -resultfile <result_file_path_name> where: <domain_name> is replaced with your valid domain name <user_name> is replaced with the user name to which the Connector is configured <user_password> is replaced with the user's password to which the Connector is configured <config_file_path_name> is replaced with the full path and filename of the ntcollector_resources.txt file <result_file_path_name> is replaced with the file into which the utility is to write its output The results file will contain several useful bits of troubleshooting details, including a test poll of each server to determine the event throughput available to the SmartConnector. Here is an example of the output for which you will be looking: Succeed to access registry for SERVER_A Succeed to load remote DLL from \\SERVER_A Succeed to access SECURITY eventlog for SERVER_A Reading 1024 events from SERVER_A with eps 10.032514 Compare the 'eps' output for each server with the estimated event throughput of that server. If the 'eps' from ntcollectordiag is higher than the server's estimated event throughput, you will be in a good position to keep up with the event rate of the remote server. If the 'eps' from ntcollectordiag is lower than the server's estimated event throughput, your best option is to deploy a SmartConnector on the local LAN with the server from which it is collecting events. If the SmartConnector is still unable to keep up with the events of the server, you should contact ArcSight Customer Support to investigate the issue further.

20

ArcSight Confidential

Configuration Guide 4 The final step in the tuning process is to install a separate SmartConnector for each group of servers that you have identified in the preceding steps and proceed to configure the Polling Interval, Batch Query Buffer Size, and Buffer Allocation to match the characteristics of each group of servers. See the Best Practices/SmartConnector Placement section for more information about installing multiple SmartConnectors in your environment, and selecting an appropriate configuration for your environment.

Deployment Example
The following diagram illustrates how three SmartConnectors can be deployed in order to allow for optimal performance while conserving bandwidth for the remote sites.

ArcSight Confidential

21

SmartConnector for Microsoft Windows Event Log

Advanced Configuration Options

Changing the Polling Interval Auto Adjustment
Polling interval is the break time when we switch reading events from one event log type to another one for a remote computer. By default, the polling interval is 200 milliseconds. You can set the initial polling interval value during connector setup. Setting a short polling interval increases CPU usage and network bandwidth usage, so tune the interval setting to best match your environment. If you find there is a delay in your being displayed from the ArcSight ESM Console, you can reduce the polling interval value by running arcsight connectorsetup from the $ARCSIGHT_HOME\current\bin directory. By default, the polling interval value is reduced when the connector has trouble catching up on a high eps remote computer. So the actual polling interval will vary from the initial polling interval set through connector setup. Also, the polling interval is adjusted per remote computer, so its value will be different for each remote computer (event source). You can turn this auto adjustment off by following these steps: 1 2 3 4 5 6 7 Stop the SmartConnector. From $ARCSIGHT_HOME\current\bin, run arcsight connectorsetup. Select No for wizard setup mode. From the menu, select Options and check Show Parameters. Change the parameter called enableautopollinginterval from true to false. Click OK to close the setup window. Restart the SmartConnector.

Enabling and Disabling SID Translation

Using internal configuration parameters, you can choose to enable or disable SID translation. The default value is false, indicating SID translation is performed. Change the value of the disablesidtranslation parameter to true to disable SID translation. 1 To change this parameter, first open a command window and navigate to ARCSIGHT_HOME\current\bin. Enter the command arcsight connectorsetup to start setup in Advanced mode. When the following warning window is displayed, click No.

2 3

22

ArcSight Confidential

Configuration Guide

From the Configuration Tool window Options menu, check the box next to Show Internal Parameters.

Locate the disablesidtranslation parameter and change false to true to disable SID translation. Click OK for your change to take effect.

When SID translation is enabled, you also can choose to always translate SIDs, even when Microsoft does not. To do so, locate the enablealwaystranslatesid parameter and change false to true. If you choose to have only those SIDs translated that are translated by Microsoft, leave the default value of false. The enablealwaystranslatesid parameter has no effect when the disablesidtranslation parameter is set to true.

Enabling and Disabling GUID Translation

Using internal configuration parameters, you can choose to enable or disable GUID translation. The default value is true, indicating GUID translation is not performed. To enable GUID translation, change the value of the disableguidtranslation parameter to false to enable SID translation. 1 To change this parameter, first open a command window and navigate to ARCSIGHT_HOME\current\bin. Enter the command arcsight connectorsetup to start setup in Advanced mode. When the warning window asking whether you want to use the wizard is displayed, click No. From the Configuration Tool window Options menu, check the box next to Show Internal Parameters. Locate the disableguidtranslation parameter and change true to false to enable GUID translation. Click OK to close connector setup. Restart the connector for your change to take effect.

2 3 4

6 7

ArcSight Confidential

23

SmartConnector for Microsoft Windows Event Log

Configuration
Configuring the SmartConnector
The SmartConnector for Microsoft Windows Event Log should be installed only to Windows XP and 2003. ArcSight previously supported Windows 2000. However, when at least two Microsoft APIs had unexpected behaviors under some conditions with Windows 2000, ArcSight dropped Windows 2000 support for this SmartConnector.

This section provides instructions for configuring the SmartConnector for Microsoft Windows Event Log. 1 2 Log on to the SmartConnector computer using any user from the Domain User group. Install the SmartConnector on a selected Microsoft Windows machine. During installation, you will be asked to enter the user information for a user from the Domain Admin group. This is the user through which the SmartConnector will poll events. After the SmartConnector is installed, configure the list of computers from which the SmartConnector is to collect events. To manually configure this list, go to step 8. Otherwise, execute the following command to start a configuration user interface for defining the list: arcsight ntcollectorconfig 4 5 From the Configuration UI, select Search for new computers from the menu. When the search completes, select Refresh from the menu. Every available computer from your domain, and other domains that trust your domain, is listed. By highlighting any computer and right-clicking with your mouse, you can delete the corresponding computer from the tree. You can also delete specific event log types in this way. Here, deleting means you do not want to collect events from the corresponding computer or event log type. After completing the previous step, click Save the changes and Exit. You can skip the following step (for manually configuring the computer list) and go to step 9. To manually configure the computer and event log type list for event collection, create the text file called NtCollector_Resources.txt under {arccsight_home}\user\agent\nt. Edit the file to specify entries of a computer name and its associated event log types, each on a single line separated by a comma(,). Here is an example: \\COMPUTER1, Application, Security This entry indicates that we want all events whose event log type is Application or Security from the computer named COMPUTER1. When you finish adding entries, save the file. 9 Now run the arcsight agents command to start the SmartConnector.
If new computers are added to your environment later and you want to collect event log data from these new machines, stop the SmartConnector and perform step 3 through 7 again to update the list of computers for which the SmartConnector will collect events.

24

ArcSight Confidential

Configuration Guide If at least one of your servers generates more than five events per second, configure the event polling interval to best fit your needs. By default, the polling interval is 200 milliseconds. This can support up to five events per second for each machine. The polling interval you specify should be roughly the event rate divided by 1000. For example, use a polling interval of 100 if your event rate is 10 events per second. Setting a short polling interval will increase CPU usage, so tune the interval setting to best match your environment.

Configuring Windows Connectors to Capture Print Events

This configuration step supports the early warning printing scenarios. 1 Connector release 4471 and subsequent releases contain updates to the SmartConnector for Microsoft Windows Event Log to support scenarios involving printing events. If your printing servers run Windows, upgrade your SmartConnector to one of these versions. In a text editor, open the following file on the SmartConnector system to include entries for print servers so that events from their security, system, and application logs are collected: $ARCSIGHT_HOME\current\user\agent\nt\NTCollector_resources.txt 3 Add the following line for every print server you want to track: \\serverName,application,security,system where serverName is the name of the print server.

Installing the SmartConnector

ArcSight ESM Installation
Before you install any ArcSight SmartConnectors, make sure that ArcSight ESM has already been installed correctly. Also, ArcSight recommends reading the ArcSight Installation and Configuration Guide before attempting to install a new ArcSight SmartConnector. For a successful installation of ArcSight ESM, install the components in the following order: 1 2 Ensure that the ArcSight ESM Manager, Database, and Console are installed correctly. Run the ArcSight ESM Manager; the ArcSight ESM Manager command prompt window or terminal box displays a Ready message when the Manager has started successfully. You can also monitor the server.std.log file located in ARCSIGHT_HOME\current\logs. Run the ArcSight Console. Though not necessary, it is helpful to have the ArcSight Console running when installing the SmartConnector to verify successful installation.

Before installing the SmartConnector, be sure the following are available: Local access to the machine where the SmartConnector is to be installed Administrator passwords

ArcSight Confidential

25

SmartConnector for Microsoft Windows Event Log

SmartConnector Installation
For information regarding operating systems and platforms supported, see SmartConnector Product and Platform Support. 1 Insert the ArcSight Installation CD into your CD-ROM drive or navigate to the location of the ArcSight SmartConnector Installer directory. Start the ArcSight SmartConnector Installer by running the executable for your operating system. Follow the installation wizard through the following folder selection tasks and installation of the core connector software: Introduction Choose Install Folder Choose Install Set Choose Shortcut Folder Pre-Installation Summary Installing... 3 When the installation of ArcSight SmartConnector core component software is finished, the following window is displayed:

Make sure ArcSight Manager (encrypted) is selected and click Next. For information about the ArcSight Logger SmartMessage (encrypted) destination, see "Chapter 5. Using SmartConnectors with ArcSight Logger" in the SmartConnector User's Guide. For information about NSP Device Poll Listener, see "Chapter 6. Using SmartConnectors with NCM" in the SmartConnector User's Guide.

The Wizard first prompts you for Manager certificate information. The default selection is No, the ArcSight Manager is not using a demo certificate. Choose Yes if ArcSight Manager is using a demo certificate. (Before selecting this option, make sure the Manager is, in fact, using a demo SSL certificate. If you are not certain, select No or consult your system administrator.)

26

ArcSight Confidential

Configuration Guide If your ArcSight Manager is using a self-signed or CA-signed SSL certificate, select No, the ArcSight Manager is not using a demo certificate and click Next.
After completing the SmartConnector installation wizard, remember to manually configure the connector for the type of SSL certificate your Manager is using. See the ArcSight ESM v4.0 Administrator's Guide for instructions about configuring your SmartConnector when the Manager is using a self-signed or CAsigned certificate, and for instructions about enabling SSL client authentication on SmartConnectors so that the connectors and the Manager authenticate each other before sending data.

The Wizard prompts for Manager Host Name and Manager Port. Enter the information and click Next. Enter a valid ArcSight User Name and Password. This is the same user name and password you created during the ArcSight Manager installation. Click Next. The Configuration Wizard displays a list of available SmartConnectors you can configure. Select Microsoft Windows Domain Event Log and click Next. Enter the required SmartConnector parameters to configure the SmartConnector, then click Next. Parameter Description

LOCAL EVENT LOG PARAMETERS Event Log Types Batch Query Buffer Size Configures which event log types are to be collected: Application, System, or Security. The default is all three values. Configures the size of the batch query buffer. Select a batch query buffer size in bytes (512, 1024, 2048, 4096, 8192). The default value is 8192.

DOMAIN EVENT LOG PARAMETERS Polling Interval (ms) Domain Name Domain User Specify the event polling interval in milliseconds (polling interval applies to ArcSight 3.0 or subsequent versions). The default value is 200. See "Configuring the Microsoft Windows Machine" for more details. Enter the name of the domain from which the SmartConnector for Microsoft Windows Event Log is to collect events. See the FAQ section for more details. Enter the name of the domain user the SmartConnector is to use to communicate with the remote domain computer. This should be a user from the domain administrators group. It can be different than the current logon user. The password for the domain user. Select 'Single Process' (the default) or 'Multi-Process.' This refers to the number of processes to be executed by the Windows Event Log connector when interfacing with the Microsoft API. Configures the size of the batch query buffer. Select a batch query buffer size in bytes (512, 1024, 2048, 4096, 8192). The default value is 8192. This parameter lets you choose the behavior of query buffer size allocation. The default value is 'Maximized,' which means the query buffer size is kept as large as possible. The default value should be good for all cases except those in which network bandwidth is very low between the SmartConnector for Microsoft Windows Domain Event Log and the remote DCs/servers. In the low bandwidth cases, change this parameter to 'Minimized.' Accept the default value of 'true' to enable adjusting the automatic polling interval; select 'false' to disable auto polling interval adjustment.

Domain User Password Mode

Batch Query Buffer Size Batch Query Buffer Allocation

Enable auto polling interval

ArcSight Confidential

27

SmartConnector for Microsoft Windows Event Log 10 Enter a name for the SmartConnector and provide other information identifying the connector's use in your environment. Click Next. 11 Read the SmartConnector summary and click Next. If the summary is incorrect, click Back to make changes. 12 When the SmartConnector completes its configuration, click Next. The Wizard now prompts you to choose whether you want to run the SmartConnector as a process or as a service. If you choose to run the SmartConnector as a service, the Wizard prompts you to define service parameters for the SmartConnector. 13 After making your selections, click Next. The Wizard displays a dialog confirming the SmartConnector's setup and service configuration. 14 Click Finish. For some SmartConnectors, a system restart is required before the configuration settings you made take effect. If a System Restart window is displayed, read the information and initiate the system restart operation.
Save any work on your computer or desktop and shut down any other running applications (including the ArcSight Console, if it is running), then shut down the system.

Uninstalling a SmartConnector
Before uninstalling a SmartConnector that is running as a service or daemon, first stop the service or daemon. To uninstall on Windows, open the Start menu. Run the Uninstall SmartConnectors program found under All Programs, ArcSight SmartConnectors. If SmartConnectors were not installed on the Start menu, locate the ARCSIGHT_HOME\UninstallerData folder and run: Uninstall ArcSightAgents.exe To uninstall on UNIX hosts, open a command window on the ARCSIGHT_HOME/UninstallerData directory and run the command: ./Uninstall_ArcSightAgents
The Uninstall script does not remove the connector files; it simply removes the files created by the InstallAnywhere software. Connector files and folders must be manually deleted.

Upgrading a SmartConnector
To locally upgrade the connector, stop the running connector and run the ArcSight SmartConnector installer. The installer prompts you for the location to install the connector. Select the location of the SmartConnector that you want to upgrade; you will receive the message "Previous Version Found. Do you want to upgrade?" Select the option to continue and upgrade the connector. The original installation will be renamed by prefacing characters to the original folder name; the upgraded connector will be installed in the location $ARCSIGHT_HOME\current.
You can remotely upgrade multiple SmartConnectors from the ArcSight ESM Console. See the

SmartConnector User's Guide for remote upgrade procedures.

28

ArcSight Confidential

Configuration Guide To rollback the connector: Stop the upgraded connector, which is under current. Rename the current folder to a name based upon the build version of the upgraded connector. Rename the old connector build folder to current. Start the connector.

Troubleshooting
Why do I get errors installing the SmartConnector for Microsoft Windows Domain Event Log on a machine that is not logged on as a domain user? Installing the Windows Event Log SmartConnector on a machine that is not logged in as a domain user will cause "access denied" errors. The SmartConnector is based upon Windows NT domain credentials, so you must log into the SmartConnector machine as a domain user (however, you need not be the domain administrator user.) How can I collect events from multiple machines in a workgroup environment? The SmartConnector for Microsoft Windows Event Log is based upon NT domain credentials, not workgroup. If your working environment is not based upon NT domains, you can still install this SmartConnector by using the administrators account from the local machine. However, ArcSight cannot guarantee that you can collect events from each machine in the same workgroup. Why can't I retrieve events from a local machine? I have no problem collecting events from remote machines? In our testing environment, this sometimes happens when we use a regular user account to log onto the SmartConnector machine. If you encounter the same problem, attempt to log in with a user account from the Domain Administrator group. Why won't my SmartConnector run on a Windows NT 4.0 machine or Windows 2000 machine? As previously mentioned in this document, this SmartConnector is supported for installation on computers running Windows XP and Windows 2003. Although there is no problem having the Event Log SmartConnector poll events from Windows NT 4.0 or Windows 2000 machines, you cannot install the SmartConnector on those machines. What kind of services should we enable on remote Windows machines from which we want the SmartConnector to retrieve events? Remote Windows machines should have the following services running: Remote Procedure Call (RPC) Server Remote Registry

ArcSight Confidential

29

SmartConnector for Microsoft Windows Event Log There is a personal firewall installed on some of the remote Windows machines from which I want to retrieve events. Which ports should be opened on those machines to let the SmartConnector collect events? The following ports should be opened: TCP 135 TCP 139/445 UDP 137,138

Can I collect events from all domains in my network environment? The SmartConnector for Microsoft Windows Event Log can collect events from a single domain. If you have multiple domains and you want to use only one SmartConnector, configure these domains to have parent-child domain relationships. Running the SmartConnector against the parent domain's administrator account on the parent domain's computer lets you collect events from the machines for all child domains. Can I collect events from all machines in my domain if my domain is separated by multiple routers? Yes, if the following conditions are true: You run the SmartConnector on a machine that is in the same subnet as the domain controller. You can see all machines from My Network Places on the Windows Event Log SmartConnector machine.

I get an event indicating 'The description for such event cannot be found.' What does this mean? Most likely, this occurred when the SmartConnector failed to get a description for the event. The possible reasons can be: The resource DLL is deleted accidentally. The related registry entry is modified.

Send an e-mail to ArcSight Support for additional assistance in resolving the problem. I can see a list of computers during SmartConnector configuration, but the message 'required privilege is not held by the client' is shown for almost all of them from the ArcSight Console This happens when the logon user on the SmartConnector machine lacks minimum privileges. Follow this procedure to add the necessary privileges: 1 2 From the Start menu of the SmartConnector machine, click Settings -> Control Panel. From the Control Panel, select Administrative tools -> Local Security Policy. The Local Security Settings window is displayed.

30

ArcSight Confidential

Configuration Guide

3 4

Expand the Local Policies folder and select User Rights Assignment. Double-click Act as part of the operating system. The Local Security Policy setting dialog opens.

5 6 7 8

Click Add to open the Select Users or Groups dialog. Select the domain name from the Look in: list. Select the logon user account from the associated list of users. Click Add. The privilege "Act as part of the operating system" is added to this user. Remember, this is the current logon user account.

ArcSight Confidential

31

SmartConnector for Microsoft Windows Event Log

Click OK to close the Select Users or Groups dialog.

10 Click OK to close the Local Security Policy setting dialog. 11 Close all the other windows. I don't want to use the domain administrator user account for connector setup. Is there a workaround? Yes, there is a workaround, but there are certain limitations: It does not support application events or system events. If not all computers have the same OS and service packs, there may be a parsing problem for certain security events. A domain regular user for the workaround is still required.

To avoid using the domain administrator user account for agent setup, follow these steps: 1 2 Log on to a domain computer using the domain regular user. To get events from a remote computer A, enable Manage auditing and security log local security policy on computer A. If you want the ArcSight SmartConnector to collect events from all computers in the domain, you may want to use the Domain Security Setting. Run ArcSight connector setup in advanced mode and enable an internal parameter named Use Local DLL. Start or restart the SmartConnector.

32

ArcSight Confidential

Configuration Guide All of the computers in my environment are workgroup-based; there is no domain at all. Can I still use the Windows Event Log SmartConnector to get events from multiple remote machines? There is a way to do it, but it requires a bit of a workaround: 1 First, create the NtCollector_Resource.txt file manually (see "Configuring the SmartConnector for Microsoft Windows Event Log"). Next, create the same user on each computer from which you want to get events. Assign exactly the same name and the same password to each of these user accounts. Add each user to the local administrator's group. During ArcSight connector setup, use "(workgroup)" as the domain name (including the left and right parentheses).

3 4

I still can't figure it out. What else can I do? ArcSight includes a diagnostic tool (v3.0, build 3723 or later) that helps ArcSight Support identify problems with SmartConnector for Microsoft Windows Event Log installations. From the bin directory of your connector installation home, run the following command: arcsight ntcollectordiag Send the file c:\ntcollectordiag.txt to ArcSight Customer Support for help solving the problem.

ArcSight Confidential

33