Transferring events from Windows machines to KUMA

To transfer events from Windows machines to KUMA, a combination of a KUMA agent and a KUMA collector is used. Data transfer is organized as follows:

1. The KUMA agent installed on the machine receives Windows events:
   • Using the WEC connector: the agent receives events arriving at the host under a subscription, as well as the server logs.
   • Using the WMI connector: the agent connects to remote servers specified in the configuration and receives events.
2. The agent sends events (without preprocessing) to the KUMA collector specified in the destination.

   You can configure the agent so that different logs are sent to different collectors.

3. The collector receives events from the agent, performs a full event processing cycle, and sends the processed events to the destination.

Receiving events from the WEC agent is recommended when using centralized gathering of events from Windows hosts using Windows Event Forwarding (WEF). The agent must be installed on the server that collects events; it acts as the Windows Event Collector (WEC). We do not recommend installing KUMA agents on every endpoint host from which you want to receive events.

The process of configuring the receipt of events using the WEC Agent is described in detail in the appendix: Configuring receipt of events from Windows devices using KUMA Agent (WEC).

For details about the Windows Event Forwarding technology, please refer to the official Microsoft documentation.

We recommend receiving events using the WMI agent in the following cases:

• If it is not possible to use the WEF technology to implement centralized gathering of events, and at the same time, installation of third-party software (for example, the KUMA agent) on the event source server is prohibited.
• If you need to obtain events from a small number of hosts — no more than 500 hosts per one KUMA agent.

For connecting Windows logs as an event source, we recommend using the "Add event source" wizard . When using a wizard to create a collector with WEC or WMI connectors, agents are automatically created for receiving Windows events. You can also manually create the resources necessary for collecting Windows events.

An agent and a collector for receiving Windows events are created and installed in several stages:

1. Creating a set of resources for an agent.

   Agent connector:

   When creating an agent, on the Connection tab, you must create or select a connector of the WEC or WMI type.

   If at least one Windows log name in a WEC or WMI connector is specified incorrectly, the agent will receive events from all Windows logs listed in the connector, except the problematic log. At the same time the agent status will be green. Attempts to receive events will be repeated every 60 seconds, and error messages will be added to the service log.

   Agent destination:

   The type of agent destination depends on the data transfer method you use: nats, tcp, http, diode, kafka, file.

   You must use the \0 value as the destination separator.

   The advanced settings for the agent destination (such as separator, compression and TLS mode) must match the advanced destination settings for the collector connector that you want to link to the agent.

2. Creating an agent service in the KUMA console.
3. Installing the KUMA agent on the Windows machine from which you want to receive Windows events.

   Before installation, make sure that the system components have access to the network and open the necessary network ports:

   • Port 7210, TCP: from server with collectors to the Core.
   • Port 7210, TCP: from agent server to the Core.
   • The port configured in the URL field when the connector was created: from the agent server to the server with the collector.
4. Creating and installing KUMA collector.

   When creating a set of collectors, at the Transport step, you must create or select a connector that the collector will use to receive events from the agent. Connector type must match the type of the agent destination.

   The advanced settings of the connector (such as delimiter, compression, and TLS mode) must match the advanced settings of the agent destination that you want to link to the agent.

For some playbooks to work correctly, you may need to configure additional enrichment of the collector. You must configure the collector as follows:

To edit enrichment rule settings in the KUMA collector:

1. Add an enrichment rule by clicking Add enrichment rule and specify the following information in the corresponding fields:
   • Name: Specify an arbitrary name for the rule.
   • Source kind: dns
   • URL: IP address of the domain controller.
   • Requests per second: 5.
   • Workers: 2.
   • Cache TTL: 3600.
2. Add an enrichment rule by clicking Add enrichment rule and do the following:
   1. Fill in the following fields:
      • Name: Specify an arbitrary name for the rule.
      • Source kind: event.
      • Source field: DestinationNTDomain.
      • Target field: DestinationNTDomain.
   2. Click Add conversion and specify the following information in the corresponding fields:
      • Type: append.
      • Constant: .RU.
      • Type: replace.
      • Chars: RU.RU.
      • With chars: RU
3. Repeat the substeps from step 2 and specify SourceNTDomain as the Source field and Target field.
4. Add enrichment with LDAP data and do the following:
   • Under LDAP accounts mapping, specify the name of the domain controller.
   • Click Apply default mapping to fill the mapping table with standard values.