Configuring receipt of events from Windows devices using KUMA Agent (WMI)

KUMA allows you to receive information about events from Windows devices using the WMI KUMA Agent.

Configuring event receiving consists of the following steps:

1. Configuring audit settings for managing KUMA.
2. Configuring data transfer from the event source server.
3. Granting permissions to view events.
4. Granting permissions to log on as a service.
5. Creating a KUMA collector.

   To receive events from Windows devices, in the KUMA Collector Installation Wizard, at the Event parsing step, in the Normalizer field, select [OOTB] Windows Extended v.1.0.

6. Installing KUMA collector.
7. Forwarding events from Windows devices to KUMA.

   To complete the data forwarding configuration, you must create a WMI KUMA agent and then install it on the device from which you want to receive event information.

Configuring audit settings for managing KUMA

You can configure event audit on Windows devices both on a specific device using a local policy or on all devices in a domain using a group policy.

This section describes how to configure an audit on an individual device and how to use a domain group policy to configure an audit.

Configuring an audit using a local policy

To configure an audit using a local policy:

1. Open the Run window by pressing the key combination Win+R.
2. In the opened window, type secpol.msc and click OK.

   The Local security policy window opens.

3. Select Security Settings → Local policies → Audit policy.
4. In the pane on the right, double-click to open the properties of the policy for which you want to enable an audit of successful and unsuccessful attempts.
5. In the <Policy name> properties window, on the Local security setting tab, select the Success and Failure check boxes to track successful and interrupted attempts.

   It is recommended to enable an audit of successful and unsuccessful attempts for the following policies:

   • Audit Logon
   • Audit Policy Change
   • Audit System Events
   • Audit Logon Events
   • Audit Account Management

Configuration of an audit policy on the device is complete.

Configuring an audit using a group policy

In addition to configuring an audit on an individual device, you can also configure an audit by using a domain group policy.

To configure an audit using a group policy:

1. Open the Run window by pressing the key combination Win+R.
2. In the opened window, type gpedit.msc and click OK.

   The Local Group Policy Editor window opens.

3. Select Computer configuration → Windows configuration → Security settings → Local policies → Audit policy.
4. In the pane on the right, double-click to open the properties of the policy for which you want to enable an audit of successful and unsuccessful attempts.
5. In the <Policy name> properties window, on the Local security setting tab, select the Success and Failure check boxes to track successful and interrupted attempts.

   It is recommended to enable an audit of successful and unsuccessful attempts for the following policies:

   • Audit Logon
   • Audit Policy Change
   • Audit System Events
   • Audit Logon Events
   • Audit Account Management

The audit policy is now configured on the server or workstation.

Configuring data transfer from the event source server

Preliminary steps

1. On the event source server, open the Run window by pressing the key combination Win+R.
2. In the opened window, type services.msc and click OK.

   The Services window opens.

3. In the list of services, find the following services:
   • Remote Procedure Call
   • RPC Endpoint Mapper
4. Check the Status column to confirm that these services have the Running status.

Configuring the firewall on the event source server

The Windows Management Instrumentation server can receive Windows log entries if ports are open for inbound connections on the event source server.

To open ports for inbound connections:

1. On the event source server, open the Run window by pressing the key combination Win+R.
2. In the opened window, type wf.msc and click OK.

   The Windows Defender Firewall with Advanced Security window opens.

3. In the Windows Defender Firewall with Advanced Security window, go to the Inbound Rules section and in the Actions pane, click New Rule.

   This opens the New Inbound Rule Wizard.

4. In the New Inbound Rule Wizard, at the Rule Type step, select Port.
5. At the Protocols and ports step, select TCP as the protocol. In the Specific local ports field, indicate the relevant port numbers:
   • 135
   • 445
   • 49152–65535
6. At the Action step, select Allow connection (selected by default).
7. At the Profile step, clear the Private and Public check boxes.
8. At the Name step, specify a name for the new inbound connection rule and click Done.

Configuration of data transfer from the event source server is complete.

Granting permissions to view Windows events

You can grant permissions to view Windows events for a specific device or for all devices in a domain.

To grant permissions to view events on a specific device:

1. Open the Run window by pressing the key combination Win+R.
2. In the opened window, type compmgmt.msc and click OK.

   The Computer Management window opens.

3. Go to Computer Management (local) → Local users and groups → Groups.
4. In the pane on the right, select the Event Log Readers group and double-click to open the policy properties.
5. Click the Add button at the bottom of the Properties: Event Log Readers window.

   The Select Users, Computers or Groups window opens.

6. In the Enter the object names to select (examples) field, list the names of the users or devices to which you want to grant permissions to view event data. Click OK.

To grant permissions to view events for all devices in a domain:

1. Log in to the domain controller with administrator privileges.
2. Open the Run window by pressing the key combination Win+R.
3. In the opened window, type dsa.msc and click OK.

   The Active Directory Users and Computers window opens.

4. In the Active Directory Users and Computers window, go to the Active Directory Users and Computers section → <Domain name> → Builtin.
5. In the pane on the right, select the Event Log Readers group and double-click to open the policy properties.

   In the Properties: Event Log Readers window, open the Members tab and click the Add button.

   The Select Users, Computers or Groups window opens.

6. In the Select User, Computer, or Group window, In the Enter the object name to select (examples) field, list the names of the users or devices to which you want to grant permissions to view event data. Click OK.

Granting permissions to log on as a service

You can grant permission to log on as a service to a specific device or to all devices in a domain. The "Log on as a service" permission allows you to start a process using an account that has been granted this permission.

Before granting the permission, make sure that the accounts or devices to which you want to grant the Log on as a service permission are not listed in the properties of the Deny log on as a service policy.

To grant the "Log on as a service" permission to a device:

1. Open the Run window by pressing the key combination Win+R.
2. In the opened window, type secpol.msc and click OK.

   The Local security policy window opens.

3. In the Local Security Policy window, go to the Security Settings → Local Policies → User Rights Assignment section.
4. In the pane on the right, double-click to open the properties of the Log on as a service policy.
5. This opens the Properties: Log on as a Service window; in that window, click Add User or Group.

   This opens the Select Users or Groups window.

6. In the Enter the object names to select (examples) field, list the names of the accounts or devices to which you want to grant the permission to log on as a service. Click OK.

To grant the "Log on as a service" permission to devices in a domain:

1. Open the Run window by pressing the key combination Win+R.
2. In the opened window, type gpedit.msc and click OK.

   The Local Group Policy Editor window opens.

3. Select Computer configuration → Windows configuration → Security settings → Local policies → User rights assignment.
4. In the pane on the right, double-click to open the properties of the Log on as a service policy.
5. This opens the Properties: Log on as a Service window; in that window, click Add User or Group.

   This opens the Select Users or Groups window.

6. In the Enter the object names to select (examples) field, list the names of the users or devices to which you want to grant the permission to log on as a service. Click OK.