Wednesday, December 9, 2009

Arcsight Unified Windows Connector de-mystified






As I'm now full-time consulting for Arcsight , I figured this would be a good place to share some of the black magic knowledge that may help others be successful… A great first topic to jump into is the Windows Unified Connector.

This will require you to have some basic-advanced Arcsight administration experience but hopefully it's easy for anyone to understand.

Windows Unified is one of the heaviest utilized connectors but is also one of the most troublesome to understand. Hopefully this post will give you a better idea how it works and how to properly troubleshoot and tune it.

WHY:

Windows Event logs have a wealth of security information, especially on the domain controllers. Who logged on/off, who changed user or file permissions, etc.

HOW:

Windows Unified is a polling Connector which at regular intervals connects to each specified Windows Server, authenticates and grabs a copy of the latest event logs via WMI (Windows API) to normalize and forward to Arcsight ESM.


ISSUES:


Event Latency


There are several common issues experienced using the Windows Unified Connector. Perhaps the most prevalent is delayed events. It is possible to have a Windows Unified Connector sending events to ESM hours or even days late, obviously this kills your ability to do real-time correlation along with anything else really.

Limiting Connectors. A client recently had two separate connectors one production and one running remotely as backup both configured the same and actively polling the same Windows machines. This means the Windows hosts are getting hammered with double duty polling. It's a must to only poll from one Connector at a time and to obtain a backup site, simply add a new ESM destination from the production Connector to also forward events to the backup ESM. In your Disaster Recovery plan have a procedure for quickly turning up the Connector on the backup network to take over during a failure.

Device Profiling


The biggest offender of latency is grouping, the way the Unified Connector works, it polls all systems with the same frequency for the same number of events. This can lead to serious event delay and backlog if you are polling high event rate servers and low event rate servers on the same Connector.

Create multiple Unified Windows Connectors and group the high event rate systems on one or several Connectors and leave the low event rate systems on another. This is a key to eliminating event latency.

Finally there are a few knobs which allow you to tune both polling frequency and number of events fetched at a time.

eventpollcount=50

50 is the default but it would not hurt to bump this value up on your high event rate Connector.

sleeptime=-1

This value controls how long in seconds to wait until the next event poll. -1 the default means continuously poll without delay. On a slow network or polling over long WAN or VPN links, it makes since to add sleeptime, start with 20 seconds and work your way up until you find the right setting for your network.


Connection Issues

Windows Unified Conenctor uses CIFS connection via RPC TCP/445, make sure the RPC service is turned on and is not firewalled to or from the Unified Connector's IP.

Unable to open RPC Handler, if you see this in your Connector logs, it means the remote machine cannot be reached, it's down or authentication is failing. Start with ping, then telnet to port 445 from the Connector finally check login credentials.

7 comments:

Antonio said...

Hi,

I´m having a hard time configuring the correct priviledges for a domain user, not administrator, to be able to collect events from DCs and server of that domain.

Servers are all running Windows 2003.

What´s your suggestion ?

sly said...
This comment has been removed by a blog administrator.
Greg Martin said...

Antonio: Sorry you are going to need to put that domain user in the Administrator group... Not sure of a way around that.

Greg Martin said...

sly: check out this great write up on WMI scripting with python by my twitter buddy Corey http://coreygoldberg.blogspot.com/2008/12/python-monitor-windows-remotely-with.html

Anonymous said...

Hi Greg,
I've experienced the same issues with the unified connector and am working through it right now.

I was wondering if you heard any issues with the Sophos connector on the latest build. I'm seeing jdbc:odbc:SOPHOS all through the log. Followed Arcsights instructions completely but I don't think it likes that connection. Place a support ticket but always looking for additional tips if you have any.

Thanks!

Greg Martin said...

Hi Anon,

I have not yet used the Sophos connector but it sounds like there is database connection issues... Are you connecting remotely to the DB or running the connector as software right on the Sophos box? As for the Windows connector a hint would be to split the connector load as much as possible, try not to have more than 75 hosts on each connector and spread them across multiple connector appliances. Also make sure you are not polling one Windows server from multiple connectors!! Hope that helps.

Anonymous said...

Hi Greg,

I have recently received an IDS "windows system32 directory file access" alert from the unified connector to the destination Windows server.

However this happen only randomly on a few occasions.

Appreciate your advice if there is something I am missing here. Thanks.