This document provides step-by-step instructions for deploying the RvSIEM virtual machine and configuring the RuSIEM agent to collect and analyze Windows event logs. Key steps include downloading the RvSIEM virtual image, deploying it in VMware or Hyper-V, configuring the network settings, installing the RuSIEM agent on Windows machines, and configuring the agent to send events to the RvSIEM server for analysis and querying. The document also provides tips on licensing, event searching, and troubleshooting log collection.
2. Step-by-step
• Download virtual image. You have find download links on
https://rusiem.com
• Deploy image in VMware ESX (5.5+)/Hyper-v
• Power on for VM
• Setup network options (or use DHCP)
• Set required options in the web interface Settings
• Install RuSIEM agent for Windows OS (links for download you can find on
the site)
• Change management server in LogAgent.config file
• Setup event source for agent in web interface
3. Download and deploy virtual machine
• For ESX:
https://www.dropbox.com/s/frp9hf02u9qonrg/RvSIEM.ova?dl=1
6. • Power on VM
• Check IP on console screen (if you have DHCP)
7. Setup ip and network
• If you not have DHCP on you network:
• Login to ssh or console. Username: rusiem, Password: P@ssw0rd2014
Ex. command:
• ssh rusiem@you_vm_ip
• sudo -i
8. Setup static ip and network
• Set static ip, gateway in file /etc/network/interfaces
• Save changes and reboot
9. Access to web interface
• Use https proto and url: https://ip_you_vm
• Username: admin, Password: admin
• Hint: you may be resize web console.
Use ctrl+“–” or cmd “–”
10.
11. License settings
• For RvSIEM free – you don’t need any license key
• License required only for commercial version (RuSIEM)
Ignore license messages for RvSIEM free
:)
12. Download agent
• Download x64 Agent http://www.mediafire.com/file/g51v275tac1ynfm/SetupRuAgent_x64-3.msi
• Or x86 http://www.mediafire.com/file/j0p78icfw9judua/SetupRuAgent_x86-3.msi
13. Install RuSIEM agent
Select Custom installation and set IP/fqdn name you server
RvSIEM instead rusiem.com.
Example: https://172.16.0.109/api/v1/remote/encrypt/agent
14. • You may check management server for agent after installation in
c:Program FilesRusiemLogAgent.config
16. • Press “+” icon on you installed agent
• Select ‘Windows Event log’ module
• For localhost – set hostname “.” (dot)
• Set checkbox for event log journals
• Click ‘Save’ button
• For local log collection
(when agent installed) –
don’t need account.
Agent will be use Local/System account
17. • After adding the source, set checkbox for apply changes
18. Remote collection
• We may add many remote source for one agent
• For remote log collection – we need add account with required rights
in section ‘Settings Account for data collection’
19. Search events
• Open web console section Events. Select search query “Windows
events” in drop box menu.
20. When logs not received
All OK, actual events received from agent source (0-10 min)
Server don’t receive events from this source in 10-60 min
Events from this source did not received more than 60 minutes
21. Query
• Any query may be customized
Query Filter
Period and aggregate
options
Table events fields
order in which the fields
are displayed when viewing
the event