Hi,
I'm currently evaluating several 3rd party tools (SIEMs) to help me with log management in a large (mostly) Windows domain environment. Each tool uses a different approach to collecting the event log from remote systems, and I'd like help understanding the pros and cons of each approach. I've dropped this in the scripting forum as the tools are essentially running different scripts and it's this part I would like to understand.
WMI: An agent installed on a windows server connects to each monitored box and grabs their event logs via WMI. Our legacy SIEM already collects from over 2000 servers using this method.
RPC: As above, but using RPC. No changes required on the remote machines.
WinRM: An appliance integrates with AD and collects event logs remotely using WinRM. This is reasonably new to me (i'm a security guy, not a sys admin) but I seem to have to enable an additional remote management tool, and open a new listening port on every single machine I want to collect the event log from.
I read the following blog entry, which seemed to indicate that RPC was the best choice for performance, considering I'm going to be making high frequency connections to over 2000 targets:
http://blogs.technet.com/b/josebda/archive/2010/04/02/comparing-rpc-wmi-and-winrm-for-remote-server-management-with-powershell-v2.aspx
However, everything I have found on the subject of remote event collection seems to suggest that WinRM is the "approved" method for event log collection. The vendor using the WinRM approach is also suggesting that it is the only official MS supported way of doing this.
So I would like to ask, is there a reason that WMI and RPC should not be used for this purpose, since they clearly work and don't require any changes to my environment? Is there some advantage to WinRM that justifies touching my entire estate and opening an additional port (increasing my attack surface)?
Thanks in advance,