Version:

Configuring Windows

Log sources for Windows can be configured using Log Source Template or Devices. Log Source Template is recommended to minimize setup requirements and eliminate normalization issues.

Using Log Source Template

You must create a log source using the log source template to receive the normalized Windows logs. Go to Creating Log Source via a Template to learn more.

_images/syslogLST.png

Log Source Template

Using Devices

Configuring a Repo for Windows

  1. Go to Settings >> Configuration from the navigation bar and click Repos.

  2. Click Add.

  3. Enter a Repo Name.

  4. Select a Repo Path to store incoming logs.

  5. Set a Retention Day to keep logs in a repository before they are automatically deleted.

Note

You can add and remove multiple Repo Path and Retention Day.

  1. Select a Remote LogPoint and set a Available for (day).

  2. Click Submit.

_images/addrepo.png

Adding a Repo

Adding a Normalization Policy for Windows

You must select the LPA_Windows compiled normalizer at last.

  1. Go to Settings >> Configuration from the navigation bar and click Normalization Policies.

  2. Click Add.

  3. Enter a Policy Name.

  4. Select all the Compiled Normalizers and Normalization Packages applicable for Windows.

For DNSCompiledNormalizer, you must install and configure CNDP to select a date format by saving the configuration. For other selected compiled normalizers, Logpoint interprets the date format. We recommend you select compiled normalizer(s) in the normalization policy based on your requirements.

DNSCompiledNormalizerEU supports DNS logs with:

  • The ISO date format: YYYY/MM/DD.

  • The European date format: DD/MM/YYYY.

  1. Click Submit.

_images/windows_normpolicy.png

Adding a Normalization Policy

Configuring a Processing Policy for Windows

  1. Go to Settings >> Configuration from the navigation bar and click Processing Policies.

  2. Click Add .

  3. Enter a Policy Name.

  4. Select the previously created Normalization Policy.

  5. Select the Enrichment Policy.

  6. Select the Routing Policy.

  7. Click Submit.

_images/processingpolicy.png

Adding a Processing Policy

Adding Windows as a Device in Logpoint

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click Add.

  3. Enter a device Name.

  4. Enter the Windows server IP address(es).

  5. Select the Device Groups.

  6. Select an appropriate Log Collection Policy for the logs.

  7. Select a collector or a forwarder from the Distributed Collector drop-down.

Note

It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.

  1. Select a Time Zone. The timezone of the device must be same as its log source.

  2. Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.

  3. Click Submit.

_images/create_device.png

Adding Windows as a Device

Configuring the Syslog Collector for Windows

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click the Add icon from Actions of the previously added device.

  3. Click Syslog Collector.

Note

You can select a different collector depending on your requirements and added device. To learn more about available collectors go to collectors. If you require assistance, contact our support team.

Available Collectors Fetchers Panel

Selecting a Collector

  1. Select Syslog Parser as Parser.

  2. Select the previously created Processing Policy.

  3. Select the Charset.

  4. In Proxy Server, select None

  5. Click Submit.

_images/syslogcollector.png

Configuring Syslog Collector

Configuring AgentX for Windows

DHCP and DNS Servers record events in the Windows Event Logs under event log channels like DHCP-Server and DNS-Server. You can find these channels in your server’s Event Viewer. Select the required channels in AgentX to define the type of event logs to collect from Windows.

Available Collectors Fetchers Panel

Viewing EventLog Channels

  1. Go to Settings >> Configuration from the navigation bar and click AgentX.

  2. You need to configure a template. Go to Templates to learn how to add a template. You must note the template name for later cofiguration.

Note

It is optional to add the File Collection, the File Integrity Scanner and the Windows Registry Scanner

Available Collectors Fetchers Panel

Saving Template

After saving the template,

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click Add collectors/fetchers from Actions of the Device for Windows.

  3. Click AgentX.

  4. Select utf_8 as the Charset.

  5. Select the previously created Processing Policy.

  6. Select the recently created Template.

  7. Click Submit.

Available Collectors Fetchers Panel

Configuring AgentX

Configuring the Logpoint Agent (Centralized) for Windows

  1. Go to Settings >> System Settings from the navigation bar and click Plugins.

  2. Search for LogPoint Agent Powered by NxLog and click Manage.

  3. You need to configure a template. Go to Templates to learn how to add a template. You must note the template name for later cofiguration.

Note

It is optional to add the File Collection, the File Integrity Scanner and the Windows Registry Scanner.

After saving the template,

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click Add collectors/fetchers from Actions of the Device for Windows.

  3. Click LogPoint Agent Powered by NxLog.

  4. Select utf_8 as the Charset.

  5. Select the previously created Processing Policy.

  6. Select the recently created Template.

  7. Click Submit.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support