[jira] [Commented] (NIFI-1502) FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs)
[
https://issues.apache.org/jira/browse/NIFI-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397585#comment-15397585
]
Yohann commented on NIFI-1502:
--
Do you plan to create a "ListenWindowsLog" processor?
So, Nifi would act as a "[Windows Event Collector (WEC)
server|https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection]";
with "[Source Initiated
Subscription|https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973.aspx]";.
This setup requiere an xml config file like this to select which events are
collected and how often:
{code:xml}
http://schemas.microsoft.com/2006/03/windows/events/subscription";>
SampleSISubscription
SourceInitiated
Source Initiated Subscription Sample
true
http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
Custom
1
1000
2018-01-01T00:00:00.000Z
true
http
RenderedText
ForwardedEvents
O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)
{code}
This type of collector would benefit a lot to [Apache
Metron|http://metron.incubator.apache.org/].
> FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs)
>
>
> Key: NIFI-1502
> URL: https://issues.apache.org/jira/browse/NIFI-1502
> Project: Apache NiFi
> Issue Type: Bug
>Reporter: Andre
> Fix For: 1.0.0
>
>
> While a lot of the use cases using NiFi orbit the IoT, Unix Cloud type
> workloads, I suspect NiFi would be a great fit for data collections of
> business critical platforms running Windows.
> A good example of this type of workload would be ATMs running Windows 7 and
> even run Windows XP, or collection of Event Log error events on Windows
> platforms (including Azure).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (NIFI-1502) FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs)
[ https://issues.apache.org/jira/browse/NIFI-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397650#comment-15397650 ] Bryan Rosander commented on NIFI-1502: -- [~2xyo] The ConsumeWindowsEventLog processor is capable of subscribing to native event log events, I'm not sure how it would deal with forwarded events, that's kind of up to the windows api. One alternative could be to use MiNiFi to take logs from each Windows machine and forward them to NiFi for further processing/aggregation/whatever. > FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs) > > > Key: NIFI-1502 > URL: https://issues.apache.org/jira/browse/NIFI-1502 > Project: Apache NiFi > Issue Type: Bug >Reporter: Andre > Fix For: 1.0.0 > > > While a lot of the use cases using NiFi orbit the IoT, Unix Cloud type > workloads, I suspect NiFi would be a great fit for data collections of > business critical platforms running Windows. > A good example of this type of workload would be ATMs running Windows 7 and > even run Windows XP, or collection of Event Log error events on Windows > platforms (including Azure). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-1502) FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs)
[ https://issues.apache.org/jira/browse/NIFI-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397659#comment-15397659 ] Joseph Percivall commented on NIFI-1502: Links to the ConsumeWindowsEventLog ticket[1] and PR[2]. It currently is on the master branch and will be released in 1.0.0 [1] https://issues.apache.org/jira/browse/NIFI-1976 [2] https://github.com/apache/nifi/pull/525 > FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs) > > > Key: NIFI-1502 > URL: https://issues.apache.org/jira/browse/NIFI-1502 > Project: Apache NiFi > Issue Type: Bug >Reporter: Andre > Fix For: 1.0.0 > > > While a lot of the use cases using NiFi orbit the IoT, Unix Cloud type > workloads, I suspect NiFi would be a great fit for data collections of > business critical platforms running Windows. > A good example of this type of workload would be ATMs running Windows 7 and > even run Windows XP, or collection of Event Log error events on Windows > platforms (including Azure). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-1502) FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs)
[ https://issues.apache.org/jira/browse/NIFI-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397725#comment-15397725 ] Yohann commented on NIFI-1502: -- Thanks [~bryanrosan...@gmail.com] and [~JPercivall] for the feedback. According to the comment of [~trixpan], I'd just like to see the implementation of the B option: ??B - (host runs Unix derivative) - Implement sink using openwsman java bindings?? And why Windows Event Forwarding is great :) : * [Quick and Dirty Large Scale Eventing for Windows|https://blogs.technet.microsoft.com/wincat/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows/] ** *Agentless*: Event Forwarding and Event Collection are included in the OS by default ** *Multi-Tier*: Forwarding architecture is very scalable where a “Source Computer” may forward to a large number of collectors and collectors may forward to collectors ** *Group Policy Aware*: The entire model is configurable by Group Policy ** *Resiliency*: Designed to enable mobile scenarios where laptops may be disconnected from the collector for extended periods of time without event loss (except when logs wrap) as well as leveraging TCP for guaranteed delivery * [Spotting the Adversary with Windows Event Log Monitoring - by the NSA|https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm] > FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs) > > > Key: NIFI-1502 > URL: https://issues.apache.org/jira/browse/NIFI-1502 > Project: Apache NiFi > Issue Type: Bug >Reporter: Andre > Fix For: 1.0.0 > > > While a lot of the use cases using NiFi orbit the IoT, Unix Cloud type > workloads, I suspect NiFi would be a great fit for data collections of > business critical platforms running Windows. > A good example of this type of workload would be ATMs running Windows 7 and > even run Windows XP, or collection of Event Log error events on Windows > platforms (including Azure). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-1502) FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs)
[ https://issues.apache.org/jira/browse/NIFI-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397747#comment-15397747 ] Bryan Rosander commented on NIFI-1502: -- [~2xyo] If you configure Windows Event Forwarding to a Windows machine running NiFi, would the EvtSubscribe function be able to receive the events? If so, you could probably go that route atm although we can definitely look into a more full-featured approach in the future. > FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs) > > > Key: NIFI-1502 > URL: https://issues.apache.org/jira/browse/NIFI-1502 > Project: Apache NiFi > Issue Type: Bug >Reporter: Andre > Fix For: 1.0.0 > > > While a lot of the use cases using NiFi orbit the IoT, Unix Cloud type > workloads, I suspect NiFi would be a great fit for data collections of > business critical platforms running Windows. > A good example of this type of workload would be ATMs running Windows 7 and > even run Windows XP, or collection of Event Log error events on Windows > platforms (including Azure). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-1502) FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs)
[ https://issues.apache.org/jira/browse/NIFI-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398944#comment-15398944 ] Yohann commented on NIFI-1502: -- [~bryanrosan...@gmail.com], you're right, I think that this architecture should works *if NiFi is installed on a Windows Server* with a Windows Event Collector configured. However, Apache Metron ([with Nifi embedded|https://cwiki.apache.org/confluence/display/METRON/Metron+Architecture]) doesn't run on Windows. (and it would be great to not have to install a dedicated windows server just for this purpose) So, I think (_as a user of Apache Metron_) that the "option B" should be also implemented (in a future release). Of course, I would be happy to help as I can on this feature. Could I open a new ticket for the "option B" ? > FetchEventViewer - NiFi should be able to consume Even Viewer (Windows Logs) > > > Key: NIFI-1502 > URL: https://issues.apache.org/jira/browse/NIFI-1502 > Project: Apache NiFi > Issue Type: Bug >Reporter: Andre >Assignee: Bryan Rosander > Fix For: 1.0.0 > > > While a lot of the use cases using NiFi orbit the IoT, Unix Cloud type > workloads, I suspect NiFi would be a great fit for data collections of > business critical platforms running Windows. > A good example of this type of workload would be ATMs running Windows 7 and > even run Windows XP, or collection of Event Log error events on Windows > platforms (including Azure). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
