Professional Documents
Culture Documents
Windows 2008 & 2008 R2 SSIM Integration
Windows 2008 & 2008 R2 SSIM Integration
OBTAIN THE FQDN (Fully Qualified Domain Name) name of monitored server & OS
version:
Use this host name in SSIM’s sensor configuration to fetch the logs through OFF box
integration. This hostname should contain complete domain name (incase of Member server ) or
a workgroup name. Note down the FQDN name & OS version details which will be required at
the time of sensor configuration.
If the firewall is running you will see a very long list of the firewall rules, then skip this
step & move ahead to the next step 3(configure winrm).
If the firewall is not running you will see an error "An error occurred while attempting
to contact the Windows Firewall service...", then start the firewall service & under
Windows firewall settings OFF the firewall status.
CONFIGURE WINRM
winrm quickconfigand answer Y to accept changesif it is already configured it will show below
message.
Starts the WinRM service and sets the service startup type to auto-start
Configures a listener for the ports that send and receive MS-Management protocol
messages using either the HTTP (5985) protocol or the HTTPS protocol
Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and
opens the ports
We will configure winrm to allow unencrypted traffic as we are using HTP for communication &
not HTTPS:
As we are using kerberos authentication we will disable the basic authentication for winrm:
For security, Symantec recommends that you disable the Remote Shell access.
When you run winrm set winrm/config, the following message displays:
AllowRemoteShell Access=true.
Add the Network Service account to the Event Log Readers group as winrm service
isexecuted by network service( Run the following command from command propmt)
net localgroup "Event Log Readers" /add "NT Authority\Network Service"
Network service must be allowed to Read windows security Logs via winrm service because in
windows 2008 Security event log is restricted to very few users to do this append the security
descriptor of network service (A;;0x1;;;S-1-5-20)& )(A;;0x1;;;NS)in channel access by running
below commands.
Above command Grants Read only Access to Network service to read security Event log.
After ensuring that the firewall service is enabled and running, you can use the commands
below.
OR
netsh advfirewall firewall add portopening TCP 5985 "Windows Remote Management"
You can also create winrm listner on custom port to avoid any mismatch of ports with existing
running applications:
GET THE FINAL OUTPUT OF FOLLOWING COMMANDS & Reconfirm the settings
done:
wevtutil gl security
Also note down the following information prior moving to the sensor config.
wevtutil gl security
We are creating a new Sensor configuration Under “Microsoft Windows Vista® Event
collector 4.4” This collector is compatible with Windows 2008 & Vista.
Step 1: In Monitored host name enter the FQDN name of server to be monitored (Local host, or
127.0.0.1 or the actual IP will not able to create the connection through winrm service)
Step 2: In Monitored Host Realm enter the realm on domain (testdom.com) this can be found by
running Ksetup command from Server from which log needs to be fetched
Step 3: In Connection port use 80, 5985 for http or 5986 for https communication.
For https communication to work it is required to install Certificate authority on the domain and
retrieve the certificate to be used in SSIM Agent configuration for log collection)
Step 4: In monitored host Account Name enter a domain ID or its equivalent ID to be used for
log collection. (Use only User ID, do not use domain\username format).