How to create a wec-type collector in Kaspersky Unified Monitoring and Analysis Platform to collect events from WEC server
Latest update: May 2, 2024
ID: 16039
Show applications and versions that this article concerns
- Kaspersky Unified Monitoring and Analysis Platform 3.0.3
- Kaspersky Unified Monitoring and Analysis Platform 3.0.2
Follow the instructions below if you need to configure receiving events by a Kaspersky Unified Monitoring and Analysis Platform (KUMA) collector from a dedicated WEC server which receives events from the infrastructure via Windows subscriptions.
Events will be collected with the agent–collector connection type.
Step 1. Create a collector to collect events from the WEC server.
- Open KUMA, go to Resources → Collectors and click Add.
- Enter the name of the collector in the corresponding field of the Connect event sources section.
- Go to the Transport section and select wec from the Kind drop-down list on the Basic settings tab.
- In the URL field, specify the server and port on which the KUMA collector is installed and which will receive events from the agent.
For example, collector01.some.local:5125. - In the Windows logs field, specify the logs which must be transferred to the KUMA collector by the KUMA agent.
For example, WEC-Authentication, WEC-Service, WEC2-Registry.
- Go to the Basic event parsing section and select [OOTB] Microsoft Product from the Normalizer drop-down list on the Normalization scheme tab.
- Go to the Routing section, click Add and add a storage and correlator which will receive events.
For example:- Storage: type—storage, URL—storage01.some.local:7221 and storage02.some.local:7221.
- Correlator: type—correlator, URL—correlator01.some.local:7231.
- Go to the Setup validation section and click Create and save service.
- Copy the generated command for collector and agent installation into a .TXT file.
- Type sudo in the beginning of the command and run it on the server with the Collector role.
# sudo /opt/kaspersky/kuma/kuma collector --core <server address to which the collector must receive its parameters> --id <ID of the service to be installed> --api.port <port> --install
Example:
# sudo opt/kaspersky/kuma/kuma collector --core https://kuma.some.local:7210 --id 883c88f5-790d-4e91-afcb-709cd8794c6b --api.port 7234 --install
- Go to Resources → Active services and make sure that the collector service is created and has a green status, and the KUMA agent service has a red status.
The status of the agent is red because it has not yet been installed in the WEC server.
Step 2. Configure event transfer from the WEC server to the KUMA collector
- Open the directory: /home/ka/kuma-ansible-installer/roles/kuma/files.
Your home directory may be different. - Copy the kuma.exe installation file from the directory.
- Copy the kuma.exe file to the WEC server.
If Windows log events will be read from the server on which the agent is deployed, follow the instructions below. Otherwise, move on to step 3.
- Log on to the device where the agent is to be deployed.
- Open Computer Management.
- Go to Local Users and Groups → Groups and open the Event Log Readers group.
- Click Add, enter SOME\wec_agent in the Enter the object names to select field and click OK.
- Click OK.
Step 3. Add an account
You need to add the account to the policy only on the server where the agent is installed.
- Log on to the device where the agent is to be deployed.
- Open Edit group policy.
- Go to Computer Configuration → Windows Settings → Security Settings.
- Proceed to Local Policies → User Rights Assignment and double-click the Log on as a service policy.
- Click Add User or Group, enter SOME\wec_agent in the Enter the object names to select field and click OK.
- Click OK.
Step 4. Install the agent on the server
- Open the folder with the copied installation kuma.exe file.
- Make sure that steps 2, 3 are done.
- Run the following command to install the agent:
kuma agent --core https://<full domain name of the KUMA kernel server>:<port used by the KUMA kernel server for internal communications (7210 by default)> --id <ID of the agent service created in KUMA> --user <domain and user name under which the agent will operate> --install
Example of the command:
kuma agent --core https://kuma.some.local:7210 --id 5853a91c-8e76-4c80-8241-3ae6aa76a362 --user wec_agent@some.local --install
The command requires the password of the account under which events will be read and sent to the KUMA collector and which is included in the Event Log Readers group and Log on as a service policy.
- Open KUMA and go to Resources → Active services.
- Make sure that the agent status is now green.
- Select the check box next to the WEC Collector and click Go to events to ensure receiving events.
If the article didn’t help or you still have questions, Хотите что-то добавить или уточнить? create a topic on the Forum.