This document provides step-by-step instructions for deploying the RvSIEM virtual machine and configuring the RuSIEM agent to collect and analyze Windows event logs. Key steps include downloading the RvSIEM virtual image, deploying it in VMware or Hyper-V, configuring the network settings, installing the RuSIEM agent on Windows machines, and configuring the agent to send events to the RvSIEM server for analysis and querying. The document also provides tips on licensing, event searching, and troubleshooting log collection.

1. Deploy RvSIEM
CEO RuSIEM
Olesya Shelestova
https://rusiem.com
support@rusiem.com

2. Step-by-step
• Download virtual image. You have find download links on
https://rusiem.com
• Deploy image in VMware ESX (5.5+)/Hyper-v
• Power on for VM
• Setup network options (or use DHCP)
• Set required options in the web interface  Settings
• Install RuSIEM agent for Windows OS (links for download you can find on
the site)
• Change management server in LogAgent.config file
• Setup event source for agent in web interface

3. Download and deploy virtual machine
• For ESX:
https://www.dropbox.com/s/frp9hf02u9qonrg/RvSIEM.ova?dl=1

4. Deploy in VMWare ESX

5. Deploy in MS Hyper-V

6. • Power on VM
• Check IP on console screen (if you have DHCP)

7. Setup ip and network
• If you not have DHCP on you network:
• Login to ssh or console. Username: rusiem, Password: P@ssw0rd2014
Ex. command:
• ssh rusiem@you_vm_ip
• sudo -i

8. Setup static ip and network
• Set static ip, gateway in file /etc/network/interfaces
• Save changes and reboot

9. Access to web interface
• Use https proto and url: https://ip_you_vm
• Username: admin, Password: admin
• Hint: you may be resize web console.
Use ctrl+“–” or cmd “–”

11. License settings
• For RvSIEM free – you don’t need any license key
• License required only for commercial version (RuSIEM)
Ignore license messages for RvSIEM free
:)

12. Download agent
• Download x64 Agent http://www.mediafire.com/file/g51v275tac1ynfm/SetupRuAgent_x64-3.msi
• Or x86 http://www.mediafire.com/file/j0p78icfw9judua/SetupRuAgent_x86-3.msi

13. Install RuSIEM agent
Select Custom installation and set IP/fqdn name you server
RvSIEM instead rusiem.com.
Example: https://172.16.0.109/api/v1/remote/encrypt/agent

14. • You may check management server for agent after installation in
c:Program FilesRusiemLogAgent.config

15. • Open web console  “Sources”

16. • Press “+” icon on you installed agent
• Select ‘Windows Event log’ module
• For localhost – set hostname “.” (dot)
• Set checkbox for event log journals
• Click ‘Save’ button
• For local log collection
(when agent installed) –
don’t need account.
Agent will be use Local/System account

17. • After adding the source, set checkbox for apply changes

18. Remote collection
• We may add many remote source for one agent
• For remote log collection – we need add account with required rights
in section ‘Settings  Account for data collection’

19. Search events
• Open web console  section Events. Select search query “Windows
events” in drop box menu.

20. When logs not received
All OK, actual events received from agent source (0-10 min)
Server don’t receive events from this source in 10-60 min
Events from this source did not received more than 60 minutes

21. Query
• Any query may be customized
Query Filter
Period and aggregate
options
Table events fields
order in which the fields
are displayed when viewing
the event

22. Full text search and searches

23. Full text search and searches
• Full text search. Ex. Olesya, ‘172.16.0.131’
• For field: key:”value”
• With logical operators

24. Thank you
support@rusiem.com
https://rusiem.com