This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a doc showing how to monitor a Windows/AD system?

I see there are many different collectors available for different items in AD or WIndows.

I see there is the Agent Manager for Windows Agents, but I cannot quite nail down what Agents can collect vs what a Collector can collect?

I am at a point where I do not yet know WHAT I want to collect, since I do not know what I CAN collect  So first, what is available to collect (from what format? agent or collector) then I can pick and chose the elements i need I suppose.

Or start more simply:  How are the Agents different than Collectors, specifically in the context of Windows and Active Directory?

Tags:

Parents
  • 0  

    SAM will essentially collect anything that's in the Windows Event logs (and possibly other logs as well).  You install an agent (managed or unmanaged), configure a policy telling the agent what to collect.  The agent then sends these events on to a "Central Computer", which then forwards to Sentinel itself.

    Sentinel Collectors tend to be agentless whereas SAM is an agent based solution.  Windows doesn't have a native syslog client so SAM was the solution to that.

  • 0   in reply to   

    That is a helpful distinction.  So the SAM is mostly for Event log stuff.

    What if you want to watch file system operations?  Delete/move of files, say.  Which would be the better way?  Is there a way?

    There was a WMI collector, is that still around or is that part of the SAM do that?

  • Suggested Answer

    0   in reply to   

    Hi Geoffrey,

    you can configure Windows to audit its file system: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11). That would generate events in the Windows Event Log for various activities.

    Depending on what you want to audit, Change Guardian might offer you more choices.

    Historically Sentinel offers

    - pull-based Windows event collection with the WECS connector

    - push-based Windows event collection using Agent Manager agents.

    For both, raw data is parsed by the Active Directory and Windows collector.

    Nowadays you can also use ArcSight SmartConnectors: https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors-8.4/ Those give you the ability to collect from the Vista style event logs as well and process data from WEF, PowerShell, Sysmon and other applications. SmartConnectors normalize events into the Common Event Format (CEF), and forward them to Sentinel through the Syslog Connector. The Connector then forwards the events to Universal Common Event Format Collector for parsing.

Reply Children
No Data