How to create an http-type collector in Kaspersky Unified Monitoring and Analysis Platform to collect events via WMI agents
Show applications and versions that this article concerns
- Kaspersky Unified Monitoring and Analysis Platform 3.0.3
- Kaspersky Unified Monitoring and Analysis Platform 3.0.2
Follow the instructions below if you need to configure receiving events from a small number of devices (PCs or servers) where you cannot deploy agents of Kaspersky Unified Monitoring and Analysis Platform (KUMA).
Events will be collected through a dedicated server using a WMI connection to the source device with the device–agent–collector connection type.
Step 1. Create a collector to collect events from Windows devices
- Open KUMA, go to Resources → Collectors and click Add.
- Enter the name of the collector in the corresponding field of the Connect event sources section.
- Go to the Transport section and select http from the Kind drop-down menu on the Basic settings tab.
- Select \0 in the Delimiter value drop-down menu.
- In the URL field, specify the server and port on which the KUMA collector is installed and which will receive events from the agent.
For example, collector01.some.local:5145.
- Go to the Event parsing section, open the Parsing flowcharts tab and click Add event parsing.
- In the Normalizer drop-down menu, select [OOTB] Microsoft Product and click ОК.
- Go to the Routing section, click Add and add a storage and correlator which will receive events.
For example:- Storage. Type: storage, URL: storage01.some.local:7221 and storage02.some.local:7221.
- Correlator. Type: correlator, URL: correlator01.some.local:7231.
- Go to the Setup validation section and click Create and save service.
- Copy the generated command to install the collector.
- Type sudo in the beginning of the command and run it on the server with the Collector role.
Example:
The WMI Collector with a green status will appear in the list of services after the command is executed.
Step 2. Create an agent to collect events from remote devices using WMI
- Open KUMA, go to Resources → Agents and click Add.
- On the Base settings tab, enter the name of the agent in the Name field.
- Open the tab Configuration resource #1 → Basic settings and specify the name of the connector in the Name field of the Connector block.
- In the Kind drop-down list, select wmi.
- Select an account under which the agent will connect to remote Windows devices in the Default credentials drop-down list.
- In the Remote hosts block, specify a device to which the connector must connect and log types that must be read.
- Click Add and repeat the steps from item 6 for other devices.
- Go to the Destination block and specify the WMI Collector in the Name field.
- In the Kind drop-down list, select http.
- In the URL field, specify the server and port that will receive events from the agent to the collector.
Step 3. Create a service
- Go to Resources → Active services and click Add service.
- Select the check box next to the previously created WMI Agent and click Create service.
A new WMI Agent service will appear with a red status in the services list.
- Right-click the WMI Agent service and select Copy ID.
- Open the directory: /home/ka/kuma-ansible-installer/roles/kuma/files.
Your home directory may be different. - Copy the kuma.exe installation file from the directory.
Step 4. Prepare the server for agent installation
If Windows log events will be read from the server on which the agent is deployed, follow the instructions below. Otherwise, move on to step 5.
- Log on to the device where the agent is to be deployed.
- Open Computer Management.
- Go to Local Users and Groups → Groups and open the Event Log Readers group.
- Click Add, type SOME\wmi_agent in the Enter the object names to select field and click OK.
- Click OK.
Step 5. Add the wmi_agent account to the policy
- Log on to the device where the agent is to be deployed.
- Open Edit group policy.
- Go to Computer Configuration → Windows Settings → Security Settings.
- Proceed to Local Policies → User Rights Assignment and double-click the Log on as a service policy.
- Click Add User or Group, enter SOME\wmi_agent in the Enter the object names to select field and click OK.
- Click OK.
Step 6. Configure the sources
Add the account from the connector settings to the Event Log Readers group for all the Windows devices from which events will be collected:
- Log on to the device.
- Open Computer Management.
- Go to Local Users and Groups → Groups and open the Event Log Readers group.
- Click Add, type SOME\wmi_agent in the Enter the object names to select field and click OK.
- Click OK.
- Repeat steps 1–5 for the remaining devices from which you want to collect events.
- Use these instructions to make sure that the RPC service is enabled and accessible on the servers.
Example of the command:
Remoteip is the address of the server where the agent is installed and from which the connection for event collection will be made.
Step 7. Install the agent on the server
- Open the folder with the copied installation kuma.exe file.
- Make sure that steps 4, 5, and 6 are done.
- Run the following command to install the agent:
Example:
- Open KUMA and go to Resources → Active services.
- Make sure that the agent status is now green.
- Select the check box next to the WMI Collector and click Go to events to ensure receiving events.