Skip to main content

Site CollectorSite Collector Administration Guide

Set Up Windows Event Log Collector

Set up the Windows Event Log Collector to retrieve logs natively from your Windows server. The Windows Event Log Collector is a set of Site Collector flows, pre-built processors, groups, custom processors, other components, and integrations that pull logs in XML, Event Viewer format (called as Friendly View in Windows Journal), or both from your Windows server and push the logs to Exabeam Security Operations Platform. The collector provides flexible template configuration capabilities to collect Windows events.

Tip

If you configure a Windows Event Log Collector instance for a Site Collector instance which was created using a hostname, you may get a 'Request timed out' error while establishing communication with the host VM from a Windows VM. To avoid the 'Request timed out' error and ‘Setup error’, ensure that you complete the following steps on your Windows VM. 

Type ping hostnname_of_site_collector in your Windows command prompt. If this command succeeds, proceed with installing a Windows Event Log Collector for this Site Collector instance. If you get a ‘Request timed out’, or ‘Cannot resolve host’ or ‘Unknown host’ error, use the following steps.

  1. Open the hosts file that maintains mapping between hostname and IP_address, located at: C:\Windows\System32\drivers\etc\hosts, using Notepad.

  2. Add a new entry with your hostname and IP address at the end of the file for example, hostnname_of_site_collector  ip_address

  3. Save the hosts file.

  4. Proceed to install a Windows Event Log Collector instance for this Site Collector instance.

To set up a Windows Event Log Collector:

  1. Log in to the Exabeam Security Operations Platform with your registered credentials.

  2. Navigate to Collectors > Site Collectors.

  3. Ensure that Site Collector is installed and in running state.

  4. On the Site Collector page, click the Collectors Library tab, then click Windows.

    Windows_collector_1_home.png
  5. In the Definition section, enter the required information as follows.

    WELC-_updated_configuration_updated.png
    • Collector Name – Site Collector generates a name for the Windows Event Log collector based on your hostname.

    • Site Collector Instance – Select the site collector instance for which you want to set up the Windows Event Log Collector.

    • Log Ingestion Start Date – Select the date from which you want the Windows Event Log Collector to collect events.

      • Now (Default) – Retain the default option Now if you want the collector to pull all the logs registered immediately after collector installation time.

      • 1 Week Ago – Select this option if you want the collector to start pulling logs one week before the time of collector installation. For example, if you installed the collector instance on September 27, the collector instance starts pulling logs from September 20, 00:00 UTC, irrespective of the installation time.

      • 2 Weeks Ago – Select this option if you want the collector to start pulling logs two weeks before the time of collector installation.

      • 3 Weeks Ago – Select this option if you want the collector to start pulling logs three weeks before the time of collector installation.

      • 4 Weeks Ago – Select this option if you want the collector to start pulling logs four weeks before the time of collector installation.

      • All Time – Select All Time if you want the collector to collect all the data that is available on the Windows server.

  6. Click Next.

  7. In the Data section, set up the Windows template while configuring the collector. After you create a template, you can reuse the template for other collector instances or create a new template each time you set up a new Windows Event Log Collector.

    Windows_multi_template_3.png
    • Windows Template – Select preconfigured templates to filter logs, or, create a new template. Templates enable you to filter logs by attribute values.

      Windows_multi_template_2.png

      You can select one or up to five preconfigured templates. If you select templates with conflicting conditions, the collector instance may pull duplicate data. To avoid data duplication, it is recommended to create templates with different conditions. For example:

      • Log Conditions for Template 1

        multi-template1.png
      • Log Conditions for Template 2

        Multi_template_2.png
      • Log Conditions for Template 3

        Multi_template_3.png

      By clicking +New Windows Template, you can create and apply up to five templates.

      To create a new Windows template:

      1. In the Templates list, click New Windows Template.

      2. In the Template Name field, specify a name for the new Windows template.

        WELC_template_updated.png
      3. In the Windows Event Format section, select the format: XML, Event Viewer format (called as Friendly View in Windows Journal), or both, in which you want the Collector to pull logs.

      4. In the Windows Log Category section, for filtering logs, enable the log fields that you want to use and select the appropriate option: All, Range, and Exclude.

        • All – Click All to include all types of logs irrespective of the value. The collector collects all events for the specified Windows Log name.

        • Range – Click Range and specify a range in the box that appears next. The collector collects security events based on the defined range.

        • Exclude – Click Exclude and specify a value for the events to be rejected while log collection in the box that appears next. The collector collects all the security events from the specified Windows Log name excluding the events listed in this section.

          WELC_Windows_Templates.png
      5. Click Create.

  8. In the Installation section, copy the scripts and download certificates as follows.

    Windows_collector_3.png
    • Certificate – Click Default Certificate to download the certificates. After you download the certificates, ensure that you save the certificates in the same directory from where you execute the installation command.

      Note

      After the security certificate expires, the collector may continue to deliver data for several hours because the collector maintains active connections that were created and authenticated before the certificate expiration.

    • Install Script – Copy the Install script. Paste the script in the Powershell or cmd command line interface as an administrator where you put downloaded certificates. Then, run the copied command to install the Windows collector.

      Note

      You can use one install script for installing Windows Event Log Collector on multiple Windows machines.

    • Uninstall Script – To uninstall the Windows collector, copy and run the script using Powershell or cmd interface as an administrator. You must execute the script on the windows server.

  9. Verify that the Collector installed. After you run the Install script on your Windows server, you get a confirmation message about successful collector installation and the Collector instance is listed in the Overview section on the user interface.

    The Windows Event Log Collector is set up and is ready to pull Windows events from your Windows server.

    After the Windows collector is set up, Site Collector Core starts pulling logs periodically based on your template configuration and uploads logs to Exabeam Security Operations Platform. If the Windows server is not available, Site Collector core resumes pulling logs from the place where it stopped.

    In case of installation failure, the collector is disabled, and the configuration is saved. You can check the status of the collector on the user interface or using the support package.

    Note

    The supported versions of Windows operating system are Windows 10 and 11, Windows 2016 and Windows Server 2016 core, Windows 2019 and Windows Server 2019 core, and Windows 2022 and Windows Server 2022 core.