none
Windows Event Forwarding question RRS feed

  • Question

  • Hello,

    I have implemented ATA 1.9 with a mixture of LWGW on physical DCs and port mirroring on virtual DCs. I have multiple ATA gateways which are monitoring one or two DCs.

    Now I stumbled on Windows Event Forwarding architecture design question, which I can't find answer on https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection. Is it required to forward windows events from DC to same ATA gateway for which port mirroring is configured in ATA console Gateways configuration OR I can forward windows events from all DCs to one ATA gateway(which is much simpler to configure)?

    Daniel

    Tuesday, March 12, 2019 1:33 PM

Answers

  • You need to forward events from a DC to the specific GW that was set to monitor its mirrored traffic, so it can resolve the events.

    • Marked as answer by dast85 Thursday, March 14, 2019 2:08 PM
    Tuesday, March 12, 2019 9:26 PM

All replies

  • You need to forward events from a DC to the specific GW that was set to monitor its mirrored traffic, so it can resolve the events.

    • Marked as answer by dast85 Thursday, March 14, 2019 2:08 PM
    Tuesday, March 12, 2019 9:26 PM
  • Thank you Eli, this make sense.

    Thursday, March 14, 2019 2:08 PM