Windows Audit

Overview

Event Manager utilizes the features of Windows Audit in order to provide information regarding Windows security events.

NOTE: The following section assumes an installation of Windows Server 2012. Screens and options may be different in later versions. Please refer to your Windows documentation or your systems administrator for more information.

Minimum Requirements

  • Event Manager Windows Template requires a minimum of Windows Server 2008 or higher.
  • Permission to remotely read the eventlog (see below).

Windows Event Log

The Event Log system service logs event messages that are generated by programs and by the Windows operating system. Event log reports contain information that you can use to diagnose problems. You view reports in Event Viewer. The Event Log service writes events that are sent to log files by programs, by services, and by the operating system. The events contain diagnostic information in addition to errors that are specific to the source program, the service, or the component. The logs can be viewed programmatically through the event log APIs or through the Event Viewer in an MMC snap-in.

Application protocol Protocol Ports
RPC/named pipes(NP) TCP 139
RPC/NP TCP 445
RCP/NP UDP 137
RPC/NP UDP 138
NOTE: The Event Log service uses RPC over named pipes. This service has the same firewall requirements as the "File and Printer Sharing" feature.

Additional Configuration

Configuration is required to be able to use the User Inactivity Datasource on Windows servers.

IMPORTANT: If you use this datasource for a Windows 2008 Server it is necessary to upgrade to a Powershell version 3 or greater in the remote Windows 2008 machine.

Windows systems

Validate access to administrative shares in the Remote Host

Administrative shares are a special feature of Windows NT servers that allow access to local drives as “hidden” shared resources by default, but they are limited only to administrative accounts. And for security policies, sometimes administrative shares are disabled.

The remote command execution actions need access to the ADMIN$ share, which represents the Windows installation path on the remote machine (by default it is C:\Windows). To check if the administrative share is enabled, try to log on to the remote admin folder from the Event Manager host using Windows Explorer.

Validate Remote Service Manager Access in the Remote Host

The Service Manager of the remote host needs to be accessed from the Event Manager host. To check if the remote Service Manager is accessible, just open your local service manager from the Event Manager host (you can do this by running the services.msc command), then right click on the services tree and select “connect to another computer”.

After entering the credentials, you should be able to see the services tree of the remote machine.