Configuring FortiSIEM Windows Agents

This section describes how to setup FortiSIEM Windows Agent and Agent Manager as part of FortiSIEM infrastructure.

Configure FortiSIEM Supervisor

Register Windows Agent Manager to FortiSIEM Supervisor

Configure Windows Agent Manager

License and Template Assignments in Agent Manager via Export/Import Verify Events in FortiSIEM

Sample logs generated by FortiSIEM Windows Agents

Windows System logs

Windows Application logs

Windows Security logs

Windows DNS logs

Windows DHCP logs

Windows IIS logs

Windows DFS logs

Windows file content monitoring logs

Windows File integrity monitoring logs

Windows Installed Software logs

Windows Registry change logs

Windows WMI logs

Windows Powershell logs

Procedure

Configure FortiSIEM Supervisor

1. Go to Admin > License Management and make sure that there are entries for Basic and Advanced Windows Agents.
2. Go to Admin > Setup Wizard and add Agent Managers
   1. Click on Windows Agents tab
   2. Click Add and enter information for an Windows Agent Manager. This information will be used by the Agent Manager to register to FortiSIEM
      1. Enter Agent Manager Name
      2. Enter the number of Basic Agents and Advanced Agents assigned to this Agent Manager

• Enter the Start Time and End Time for license validity

1. Choose Event Upload Destination – this is where the Agent Manager will upload events to.
   1. Select the Organization (Super for Enterprise version and Specific Organization for the Service Provider version)
   2. Select one or more Collectors belonging to the selected organization v. Click OK to Save

Register Windows Agent Manager to FortiSIEM Supervisor

1. Log on to Windows Agent Manager
2. Launch FortiSIEM Windows Agent Manager application
3. Log on to the FortiSIEM Windows Agent Manager application using User ID and Password created during setup
4. Register the Windows Agent Manager to FortiSIEM
   1. Enter Supervisor IP/Host
   2. Enter Agent Manager Name – this is defined in Step 2.b.i in Configure FortiSIEM Supervisor step
   3. Enter Organization Name – this is defined in Step 2.b.iv in Configure FortiSIEM Supervisor step
   4. Enter Organization User and Organization Password as the Organizations credentials defined when the Organization was created in Admin > Setup wizard.
5. Click Register. If registration is successful, then Windows Agent Manager Dashboard page is displayed. All the installed agents show up in this page with Current Status as Running.

Configure Windows Agent Manager

Collectors. Agents send events to any collector they choose. If a particular collector is not responsive, Agent will send to other available collectors. Before Release 2.1, Agents sent events to Collector(s) via Windows Agent Manager.

1. Go to Dashboard and make sure that it displays all Windows Servers with FortiSIEM agents installed.
2. Create a Monitoring Template
   1. Go to Template Settings. Click on + to expand the options.
   2. Click Create Template.
      1. Enter a template name and description. Click Settings. ii. Specify options for each monitoring category

Category	Description	Settings
File/Folder Changes	Monitor access and change to files and folders	Click New. Enter the full path of File/Folder to be modified Select Include Subfolder(s) if the folders under the main directory needs to be monitored. Narrow down the scope by either specify Include or Exclude files The chosen files/directories will be displayed (Note: To get User information, you have do some special configuration in Windows Agents as defined in Step 2 of Pre-requisites in Installing FortiSIEM Windows Agent)
Registry Changes	Monitor changes to the root keys of Windows Registry hive	Select the root keys (available keys are HK_CLASSES_ROOT, HKEY_CUR RENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRE NT_CONFIG) Set the time interval for how often the Agent will check for change. More CPU will be used for shorter time intervals
Installed Software	Monitor software install / uninstall on a Windows server	Select Product Name, Version and Vendor to be included in an event when a change is detected.
Logs	Collect System/Security/Application logs and specific application logs	Check System if you want to collect Windows System logs. Specify include/exclude event ids. Check Security if you want to collect Windows Security logs. Specify include/exclude event ids. Check DNS if you want to collect Windows DNS logs. Specify include/exclude event ids. Check DFS if you want to collect Windows DFS logs. Specify include/exclude event ids. Check Application if you want to collect Windows Application logs. Specify include/exclude event ids. Check IIS if you want to collect Windows IIS logs. Specify include/exclude event ids. Check DHCP if you want to collect Windows DHCP logs. Specify include/exclude event ids. Check User Logs and specify the file(s) you want to monitored. Any time, the file changes, a log will be generated,
WMI Classes	Run a WMI command and collect its output	Select Category and then select the class Select WMI Class Attributes Specify how often the command needs to run Note: you may need to write a parser in FortiSIEM to get accurate attribute based reporting
Powershell Script	Run Powershell command and send its output	Enter a Powershell script Specify how often the Powershell script needs to run Note: you may need to write a parser in FortiSIEM to get accurate attribute based reporting

iii.  Click Apply to save the template iv.  Click Save

3. Associate Windows Computers with proper license and one or more Templates (Starting with release 2.0) and one or more collectors (starting with release 2.1)
   1. Click Associate License / Templates.
   2. Click Search to find the list of computers to apply the license/templates to
      1. Choose Simple or Advanced
      2. For Simple mode
         1. Select the field to Search in. Possible choices are Computer, OS, License Type, Template Name.
         2. Type in the string to search for in the adjacent edit box.
         3. Click Find.
         4. The list of matched computers will be displayed in the area below the Search box.
         5. Select the Computers to which license/templates would be assigned
            1. Select the header checkbox to select/unselect all
            2. Individually select/unselect the computers if needed

• For Advanced mode
  1. For searching by computer names, type the search text next to Computer.
  2. For searching by OS names, type the search text next to OS.
  3. For searching by License Types, select the desired license type from the drop down 4. For searching by Template Names, do one of the following.
     1. For exact template name matches, set Templates to ‘Specified from‘ and select one or more templates from the next drop down and select the operator: AND or OR
     2. For searching template names, set Templates to ‘Specified in‘ and type the search string
  4. Click Find.
  5. The list of matched computers will be displayed in the area below the Search boxSelect a Template for a Computer.
  6. Select the Computers to which license/templates would be assigned
  7. Select the header checkbox to select/unselect all
  8. Individually select/unselect the computers if needed
  9. Make sure the list of computers in view are correct for the license/template assignment and are checked. d. Click Assign

1. License Assignment

Select License Type: Basic or Advanced or None

Click Assign

1. Template Assignment

Select Template(s) from drop down list

Click Validate

Click Assign. The display would reflect the assignment.

Click Unassign to remove the template from the computer. The display would reflect the modification.

• Collector Assignment

Select Collector and then choose a set of Collectors from the drop down

Click Associate to assign the collectors to the Computers. The display would reflect the assignment.

Click Dissociate to remove the template from the computer. The display would reflect the modification. Click Associate remaining to assign the remaining collectors to the Computers e.  Click Close

License and Template Assignments in Agent Manager via Export/Import

1. Logon to Agent Manager
2. Go to Dashboard and make sure that the Agents are showing up
3. Click Export – a list of Agents Computer name, Assigned license and Assigned template will be exported to a CSV formatted file named ‘ExportedAgentAssociation.csv’ in the directory ProgramData|AccelOps|
4. Edit the CSV file to associate the right license type and monitoring template to each computer. Do not add any new computer or edit computer. Every computer known to the Agent Manager will be present in the csv file.
5. Click Import and put the CSV file in the Open file Dialog
6. Once Import finishes, a dialog will tell you the number of records processed and successfully updated.
7. Click Assign Licenses to Computers to see the License assignments
8. Click Associate Computers with Templates to see Template assignments
9. Any warnings during import operations will be recorded in <CSVFilename>-<Date>-<Time>.log file in the directory ProgramData |AccelOps|

Verify Events in FortiSIEM

1. Log on to FortiSIEM
2. Go to Analytics > Historical Search.
3. Select Filter Criteria: Structured
4. Create the following condition: Raw Event Log CONTAIN AccelOps-WUA. Click Note that all event types for all Windows Server generated logs are prefixed by AccelOps-WUA.
5. Select the following Group By
   1. Reporting Device Name
   2. Reporting IP
6. Select the following Display Fields:
   1. Reporting Device Name ii. Reporting IP

iii.  COUNT(Matched Events)

1. Run the query for last 15 minutes
2. The Query will return all hosts that reported events in the last 15 minutes.
3. To drill down further, add Event Type to both Group By and Display Fields. Then rerun the query.

Sample logs generated by FortiSIEM Windows Agents

FortiSIEM Windows Agent Manager generates Windows logs in an easy to analyze “attribute=value” style without losing any information.

Windows System logs

#Win-System-Service-Control-Manager-7036

Thu May 07 02:13:42 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success” [eventName]=”System”

[eventSource]=”Service Control Manager” [eventId]=”7036″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:13:41″ [deviceTime]=”May 07 2015 10:13:41″

[msg]=”The Skype Updater service entered the running state.”

 

Thu May 07 02:13:48 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success” [eventName]=”System”

[eventSource]=”Service Control Manager” [eventId]=”7036″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:13:47″ [deviceTime]=”May 07 2015 10:13:47″

[msg]=”The Skype Updater service entered the stopped state.”

Windows Application logs

#Win-App-MSExchangeServiceHost-2001

Thu May 07 03:05:42 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Application”

[eventSource]=”MSExchangeServiceHost” [eventId]=”2001″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-249.ersijiu.co

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

11:05:42″ [deviceTime]=”May 07 2015 11:05:42″

[msg]=”Loading servicelet module

Microsoft.Exchange.OABMaintenanceServicelet.dll”

 

#MSSQL

#Win-App-MSSQLSERVER-17137

Thu May 07 03:10:16 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Application”

[eventSource]=”MSSQLSERVER” [eventId]=”17137″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-249.ersijiu.com” [user]=””

[userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015 11:10:16″

[deviceTime]=”May 07 2015 11:10:16″

[msg]=”Starting up database ‘model’.”

Windows Security logs

#Win-Security-4624(Windows logon success)

Thu May 07 02:23:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Security”

[eventSource]=”Microsoft-Windows-Security-Auditing” [eventId]=”4624″

[eventType]=”Audit Success” [domain]=””

[computer]=”WIN-2008-249.ersijiu.com” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 10:23:56″ [deviceTime]=”May 07 2015 10:23:56″ [msg]=”An account was successfully logged on.” [[Subject]][Security ID]=”S-1-0-0″ [Account Name]=”” [Account Domain]=”” [Logon ID]=”0x0″ [Logon Type]=”3″ [[New

Logon]][Security ID]=”S-1-5-21-3459063063-1203930890-2363081030-500″

[Account Name]=”Administrator” [Account Domain]=”ERSIJIU” [Logon

ID]=”0xb9bd3″ [Logon GUID]=”{00000000-0000-0000-0000-000000000000}” [[Process Information]][Process ID]=”0x0″ [Process Name]=”” [[Network

Information]][Workstation Name]=”SP171″ [Source Network

Address]=”10.1.2.171″

[Source Port]=”52409″ [[Detailed Authentication Information]][Logon Process]=”NtLmSsp” [Authentication Package]=”NTLM” [Transited

Services]=””

[Package Name (NTLM only)]=”NTLM V2″ [Key Length]=”128″ [details]=””

Windows DNS logs

#DNS Debug Logs

#AO-WUA-DNS-Started

Thu May 07 02:35:43 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success”

[msg]=”5/7/2015 10:34:05 AM 20BC EVENT   The DNS server has started.”

 

#AO-WUA-DNS-ZoneDownloadComplete

Thu May 07 02:35:43 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015 10:34:05 AM 20BC EVENT The DNS server has finished the background loading of zones. All zones ar now available for DNS updates and zone transfers, as allowed by their individual zone configuration.”

#AO-WUA-DNS-A-Query-Success

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:13 AM 5D58 PACKET  0000000002B74600 UDP Rcv 10.1.20.232  0002   Q

[0001   D   NOERROR] A      (8)testyjyj(4)yjyj(3)com(0)”

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:13 AM 5D58 PACKET  0000000002B74600 UDP Snd 10.1.20.232     0002 R

[8085 A DR  NOERROR] A      (8)testyjyj(4)yjyj(3)com(0)”

 

#AO-WUA-DNS-PTR-Query-Success

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:22 AM 5D58 PACKET  00000000028AB4B0 UDP Rcv 10.1.20.232 0002   Q [0

D   NOERROR] PTR

(3)223(3)102(3)102(3)102(7)in-addr(4)arpa(0)”

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:22 AM 5D58 PACKET  00000000028AB4B0 UDP Snd 10.1.20.232     0002 R

[8085 A DR  NOERROR] PTR

(3)223(3)102(3)102(3)102(7)in-addr(4)arpa(0)”

 

#DNS System Logs

#Win-App-DNS-2(DNS Server started)

Thu May 07 02:39:17 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success”

[eventName]=”DNS Server” [eventSource]=”DNS” [eventId]=”2″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:39:17″ [deviceTime]=”May 07 2015 10:39:17″

[msg]=”The DNS server has started.”

#Win-App-DNS-3(DNS Server shutdown)

Thu May 07 02:39:16 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

Windows DHCP logs

AO-WUA-DHCP-Generic

Thu May 07 05:44:44 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”00″ [Date]=”05/07/15″

[Time]=”13:44:08″ [Description]=”Started” [IP Address]=”” [Host Name]=””

[MAC Address]=”” [User Name]=”” [ TransactionID]=”0″

[ QResult]=”6″ [Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

 

#AO-WUA-DHCP-IP-ASSIGN

Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”10″ [Date]=”05/07/15″

[Time]=”13:56:37″ [Description]=”Assign” [IP Address]=”10.1.2.124″ [Host

Name]=”Agent-247.yj” [MAC Address]=”000C2922118E”

[User Name]=”” [ TransactionID]=”2987030242″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

 

#AO-WUA-DHCP-Generic(Release)

Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”12″ [Date]=”05/07/15″

[Time]=”13:56:33″ [Description]=”Release” [IP Address]=”10.1.2.124″

[Host Name]=”Agent-247.yj” [MAC Address]=”000C2922118E”

[User Name]=”” [ TransactionID]=”2179405838″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

 

#AO-WUA-DHCP-IP-LEASE-RENEW

Wed Feb 25 02:53:28 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”11″ [Date]=”02/25/15″

[Time]=”10:53:19″ [Description]=”Renew” [IP Address]=”10.1.2.123″ [Host

Name]=”WIN-2008-249.yj” [MAC Address]=”0050568F1B5D”

[User Name]=”” [ TransactionID]=”1136957584″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

Windows IIS logs

 

#AO-WUA-IIS-Web-Request-Success

Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS

[monitorStatus]=”Success” [date]=”2015-05-07″

[time]=”03:44:28″ [s-sitename]=”W3SVC1″

[s-computername]=”WIN-2008-LAW-AG” [s-ip]=”10.1.2.242″ [cs-method]=”GET”

[cs-uri-stem]=”/welcome.png” [cs-uri-query]=”-” [s-port]=”80″

[cs-username]=”-” [c-ip]=”10.1.20.232″ [cs-version]=”HTTP/1.1″

[cs(User-Agent)]=”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36

+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36″

[cs(Cookie)]=”-” [cs(Referer)]=”http://10.1.2.242/”

[cs-host]=”10.1.2.242″ [sc-status]=”200″ [sc-substatus]=”0″

[sc-win32-status]=”0″

[sc-bytes]=”185173″ [cs-bytes]=”324″ [time-taken]=”78″ [site]=”Default

Web Site” [format]=”W3C”

 

#AO-WUA-IIS-Web-Client-Error

Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS

[monitorStatus]=”Success” [date]=”2015-05-07″ [time]=”03:44:37″

[s-sitename]=”W3SVC1″ [s-computername]=”WIN-2008-LAW-AG”

[s-ip]=”10.1.2.242″ [cs-method]=”GET” [cs-uri-stem]=”/wrongpage”

[cs-uri-query]=”-”

[s-port]=”80″ [cs-username]=”-” [c-ip]=”10.1.20.232″

[cs-version]=”HTTP/1.1″

[cs(User-Agent)]=”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36

+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36″

[cs(Cookie)]=”-” [cs(Referer)]=”-” [cs-host]=”10.1.2.242″

[sc-status]=”404″

[sc-substatus]=”0″ [sc-win32-status]=”2″ [sc-bytes]=”1382″

[cs-bytes]=”347″ [time-taken]=”0″ [site]=”Default Web Site”

[format]=”W3C”

 

#AO-WUA-IIS-Web-Forbidden-Access-Denied

Thu May 07 03:30:39 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-IIS [monitorStatus]=”Success” [date]=”2015-05-07″

[time]=”03:30:15″

[s-ip]=”10.1.2.249″ [cs-method]=”POST”

[cs-uri-stem]=”/AOCACWS/AOCACWS.svc” [cs-uri-query]=”-” [s-port]=”80″

[cs-username]=”-”

[c-ip]=”10.1.2.42″ [cs(User-Agent)]=”-” [sc-status]=”403″ [sc-substatus]=”4″ [sc-win32-status]=”5″ [time-taken]=”1″

[site]=”Default Web Site”

[format]=”W3C”

Windows DFS logs

#Win-App-DFSR-1002

Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1002″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:12″ [deviceTime]=”May 07 2015 11:01:12″ [msg]=”The DFS Replication service is starting.”

#Win-App-DFSR-1004

Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1004″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:12″ [deviceTime]=”May 07 2015 11:01:12″ [msg]=”The DFS Replication service has started.”

#Win-App-DFSR-1006

Thu May 07 03:01:10 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1006″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:10″ [deviceTime]=”May 07 2015 11:01:10″ [msg]=”The DFS Replication service is stopping.”

#Win-App-DFSR-1008

Thu May 07 03:01:11 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1008″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:11″ [deviceTime]=”May 07 2015 11:01:11″ [msg]=”The DFS Replication service has stopped.”

Windows file content monitoring logs

Windows File integrity monitoring logs

#AO-WUA-FileMon-Added

Thu May 07 05:30:59 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:30:58″ [fileName]=”C:\\test\\New Text

Document.txt” [osObjAction]=”Added”

[hashCode]=”d41d8cd98f00b204e9800998ecf8427e”

[msg]=””

 

#AO-WUA-FileMon-Renamed-New-Name

Thu May 07 05:31:02 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:30:58″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Renamed [New Name]”

[hashCode]=”d41d8cd98f00b204e9800998ecf8427e”

[msg]=””

 

#AO-WUA-FileMon-Renamed-Old-Name

Thu May 07 05:31:02 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:01″ [fileName]=”C:\\test\\New Text

Document.txt” [osObjAction]=”Renamed [Old Name]” [hashCode]=””

[msg]=””

 

#AO-WUA-FileMon-Modified

Thu May 07 05:31:14 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:13″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Modified” [hashCode]=”23acb5410a432f14b141656c2e70d104″

[msg]=””

 

#AO-WUA-FileMon-Removed

Thu May 07 05:31:29 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:27″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Removed” [hashCode]=”” [msg]=””

 

Windows Installed Software logs

Windows Registry change logs

#AO-WUA-Registry-Modified

Thu May 07 04:01:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-Registry [monitorStatus]=”Success”

[regKeyPath]=”HKLM\\SOFTWARE\\Microsoft\\ExchangeServer\\v14\\ContentInde

CatalogHealth\\{0d2a342a-0b15-4995-93db-d18c3df5860d}”

[regValueName]=”TimeStamp” [regValueType]=”1″

[osObjAction]=”Modified”

[oldRegValue]=”MgAwADEANQAtADAANQAtADAANwAgADAAMwA6ADQAOQA6ADQANwBaAAAA” [newRegValue]=”MgAwADEANQAtADAANQAtADAANwAgADAANAA6ADAAMQA6ADQAOABaAAAA”

 

#AO-WUA-Registry-Removed

Thu May 07 05:25:09 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-Regis

[monitorStatus]=”Success”

[regKeyPath]=”HKLM\\SOFTWARE\\RegisteredApplications” [regValueName]=”Sky

[regValueType]=”1″ [osObjAction]=”Removed”

[oldRegValue]=”UwBPAEYAVABXAEEAUgBFAFwAQwBsAGkAZQBuAHQAcwBcAEkAbgB0AGUAcg

GUAdAAgAEMAYQBsAGwAXABTAGsAeQBwAGUAXABDAGEAcABhAGIAaQBsAGkAdABpAGUAcwBkAG

ABoAGQAaABkAGgAZABoAGQAAAA=” [newRegValue]=””

Windows WMI logs

#AO-WUA-WMI-Win32_Processor

Thu May 07 03:53:33 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WMI

[monitorStatus]=”Success”  [__CLASS]=”Win32_Processor”

[AddressWidth]=”64″ [Architecture]=”9″ [Availability]=”3″ [Caption]=”Inte

Family 6 Model 26 Stepping 5″ [ConfigManagerErrorCode]=””

[ConfigManagerUserConfig]=”” [CpuStatus]=”1″

[CreationClassName]=”Win32_Processor” [CurrentClockSpeed]=”2266″

[CurrentVoltage]=”33″

[DataWidth]=”64″ [Description]=”Intel64 Family 6 Model 26 Stepping 5″

[DeviceID]=”CPU0″ [ErrorCleared]=”” [ErrorDescription]=””

[ExtClock]=”” [Family]=”12″ [InstallDate]=”” [L2CacheSize]=”0″

[L2CacheSpeed]=”” [L3CacheSize]=”0″ [L3CacheSpeed]=”0″

[LastErrorCode]=”” [Level]=”6″ [LoadPercentage]=”8″

[Manufacturer]=”GenuineIntel” [MaxClockSpeed]=”2266″

[Name]=”Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz” [NumberOfCores]=

[NumberOfLogicalProcessors]=”1″

[OtherFamilyDescription]=”” [PNPDeviceID]=””

[PowerManagementCapabilities]=”” [PowerManagementSupported]=”0″

[ProcessorId]=”0FEBFBFF000106A5″ [ProcessorType]=”3″ [Revision]=”6661″

[Role]=”CPU” [SocketDesignation]=”CPU socket #0″

[Status]=”OK” [StatusInfo]=”3″ [Stepping]=””

[SystemCreationClassName]=”Win32_ComputerSystem”

[SystemName]=”WIN-2008-LAW-AG”

UniqueId]=”” [UpgradeMethod]=”4″ [Version]=”” [VoltageCaps]=”2″

Windows Powershell logs