How to install the Windows Event Collector v4.3 and the queries for the collector
search cancel

How to install the Windows Event Collector v4.3 and the queries for the collector

book

Article ID: 177318

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You want to install the Windows Event Collector v4.3 (WEC) and queries into Symantec Security Information Manager v 4.x (SSIM)

Resolution

This is the process you will need to follow to install the Windows Event Collector v4.3
    • Download Windows Event Collector v4.3, windowseventlog.zip.md5, and manual for the WEC collector and unzip them to a folder you can access from the SSIM Web configuration page and transfer the collector files to each agent on your windows boxes.
    • If you are updating from a previous Windows Event Collector open the  SSIM Console and export all the WEC sensors that are in the Configurations list.  One for each agent you have configured.  Save these to a location you can reach to reimport the sensor settings once the new WEC collector.  Logout of the SSIM Console.
    • Open the SSIM web configuration page and Unregister the Windows Event Collector and register the Windows Event Collector to the appliance.   He will need to use file in the \windowseventlog\sip folder. There is not a package in these collector files for you to install everything on the SSIM appliance.
    • In the windowseventlog\utils folder are queries you will need to for the WEC Collector.  Review the installqueries.readme file for the steps to install these queries on the SSIM appliance..
    • Unzip the windowseventlog.zip file and using WinSCP or another SCP product and following the following steps to install the Product Queries.
        1. Connect to the SSIM appliance using an SSH client transfer the \windowseventlog\utils\windowseventlogqueries.tar.gz to the /tmp directory on the appliance.  You must transfer these files in binary mode.
        2. Connect to the console using PuTTY, the DRAC connection or login directory at the appliance itself.   Log in or su to root and type:
        3. # tar zxvf windowseventlogqueries.tar.gz and press enter and then type 
        4. # sh installqueries.sh, enter administrator and the administrator password when prompted and you will install the Product Queries for the WEC collector
    • Reopen the SSIM Console and create new WEC Configurations, one for each Sensor they exported then go to the Sensor tab of each Configuration and import the corresponding Sensor if you have saved them off.
    • On the Windows machines, copy the unzipped windowseventlog folder to each agent and install the collector on each windows box by opening the windowseventlog\install folder and double clicking on install.bat file.  Run LiveUpdate when prompted.  When the agent restarts it should pick up the new configuration

Note: When you install the WEC 4.3 collector on SSIM 4.5, you must run LiveUpdate on the SSIM for the WEC collector.




Powered by Wolken Software