Windows Event Logs

Realm Security integrates seamlessly with Windows Event Logs, enabling intelligent routing and analysis of security event logs.

Data Flow

Windows Endpoint → via (WEF) Windows Event Forwarder → Windows Event Collector Server (WEC) VM → Realm Data Collector (running on same VM as WEC) → Realm Cloud

Use Windows Event forwarder to collect logs from all endpoints/servers to a Windows Event Collector Server (WEC). Install Realm Data collector on the WEC VM. Realm Data collector will collect logs from the Forwarded Event channel.

Setup Windows Event Logs Source in Realm

• Login to Realm console
• Add a new Source. Go to Sources > Add > Windows Event Logs
  • Name: Windows Event Logs
  • Description: Windows Event Logs
• If a collector is already setup, Go to Collectors > Select your collector. If not, add a new collector
• Add a Windows Event Logs stream to the Collector.
  • Click on Add Stream
  • Select Product Format: Windows Event Logs
  • From Source drop down: Select Windows Event Logs source
  • Polling Interval: Configure the stream with a poll interval of your choosing or use the default 5 seconds.
  • Max Reads: Configure the maximum number of events to read per polling interval, or use the default 100 events.
  • Click Add Stream button
• Take note of the port that was assigned to the Cisco Firewall stream. You will need it when configuring Cisco Firewall to forward syslog messages to Realm.

Prerequisites

• Ensure you have administrative access to your Windows machine.
• Realm collector is setup and running. See Realm Collector install guide for setting up a collector.

Windows Event Forwarder

Follow this guide to configure Windows Event Forwarder: Windows Event Logs

References

• https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection

• https://learn.microsoft.com/en-us/windows/win32/wec/windows-event-collector