locked
Is event forwarding still needed with Lightweight Gateway? RRS feed

  • Question

  • Now that ATA 1.6 supports installing the lightweight GW on the actual DC, is it still required to setup event forwarding or does the LWG do that automatically?
    Sunday, May 8, 2016 3:02 AM

All replies

  • Hi gntfftrdff,

    At the current version (v1.6), if you want to setup WEF, you can either forward the event to different gateway, or even to the DC itself. The ATA cannot read the events directly from the security event-log and require event forwarding even if you're using lightweight gw.

    We hope to have better solution in future versions.

    Thanks,

          Microsoft ATA Team.

    Sunday, May 8, 2016 4:20 PM
  • Correct me if I'm doing it wrong, but only Event 4776 needs to be forwarded from the DC, correct?

    "To enhance detection capabilities, ATA needs Windows Event log ID 4776. This can be forwarded to the ATA Gateway..."

    https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/configure-event-collection

    -CK

    Thursday, May 26, 2016 1:50 PM
  • Hi CK,

    Yes. This is correct.

    Microsoft ATA Team.

    Thursday, May 26, 2016 1:52 PM
  • ATA team,

    1) Are steps in the following link for WEF same for Light weight GW? because in our case event forwarded/forwarding to the same serevr.

     https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/configure-event-collection

    Thanks

    Paddy

    Monday, August 8, 2016 6:02 PM
  • Paddy or ATA Team,

    Was there ever a response to this?  I'm in the same situation where I have only Lightweight Gateways and would like to configure them to collect and forward the windows events, but the directions in the link seem specifically for a stand alone Gateway.

    Thanks!

    Paul

    Thursday, August 11, 2016 6:32 PM