Table of Contents
Advertisement
Chapter 10
Configuring Generic, Solaris, Linux, and Windows Application Hosts
2.
3.
4.
5.
6.
Enable Windows Pulling Using a Domain User
To enable Windows pulling using a domain user (
the following on the domain controller before you enable Windows pulling on your client:
On the domain controller, click Administrative Tools > Default Domain Security Policy > Security
Step 1
Settings > Local Policies > User Rights Management.
Grant the permission Manage auditing and security log to the domain user (
Step 2
Enable Windows Pulling from Windows NT
To enable MARS to pull event log data from a Windows NT host, follow these steps:
From Start > Programs > Administrative Tools > User Manager, in the menu bar, choose Policies.
Step 1
In the submenu, choose User Rights, make sure the right of Manage auditing and security log is
Step 2
granted to the user account used for pulling event log records.
In the submenu, choose Audit. Configure the audit policy according to your site's security auditing
Step 3
policy.
Enable Windows Pulling from a Windows 2000 Server
When there is no Active Directory Service (ADS) server sending domain information to your Windows
2000 server, you must set this property to Disabled on each host from which you want the MARS
Appliance to pull syslogs.
To enabled MARS to pull event log data from a Windows 2000 host, follow these steps:
78-17020-01
Select an existing or define a new user account on the Windows host that the MARS Appliance can
use to pull event log records.
Ensure that the user account has the correct credentials. Verify that the user account belongs to the
Administrator group and verity the it includes the privilege for managing and auditing security logs.
For more information, see the procedure that corresponds to the operating system running on the
host:
–
Enable Windows Pulling Using a Domain User, page 10-7
Enable Windows Pulling from Windows NT, page 10-7
–
Enable Windows Pulling from a Windows 2000 Server, page 10-7
–
Windows Pulling from a Windows Server 2003 or Windows XP Host, page 10-8
–
Configure the Windows host to generate the correct event data.
Identify that host in MARS so that it can correctly parse and correlate the event data. For more
information, see
Configure the MARS to Pull or Receive Windows Host Logs, page
Specify the time interval at which the event log data should be pulled from all identified host
running Microsoft. For more information, see
10-11.
Windows Event Log Pulling Time Interval, page
), for example, CORP\syslog, do
domain\username
User Guide for Cisco Security MARS Local Controller
Microsoft Windows Hosts
10-9.
).
domain\username
10-7
Advertisement
Table of Contents
Troubleshooting
