Windows Event Fowarder
This lays out how to create a sbuscription (both source and collector initiated) that collects selected forwarded .evtx event logs from a workstation to a domain controller.
Last updated
This lays out how to create a sbuscription (both source and collector initiated) that collects selected forwarded .evtx event logs from a workstation to a domain controller.
Last updated
This shows the process of how to create custom .evtx
log files using ecmangen.exe
and other utilities present in the Windows Development Kit. The log file(s) created could be used as a destination log for forwarded events.
The FQDN for WIN-BO2CT95INDP is win-bo2ct95indp.bossmanben.local
Open PowerShell on the Source Machine (MSEDGEWIN10):
Add the Collector Machine to the Source Machine's trustedhosts:
Restart the service for changes to take effect:
Check if the service is running:
AllowRemoteAccess = true
signifies that the service is running.
Test if the Collector Machine (BOSSMANBEN) is reachable using WinRM:
WinRM is enabled by default on Windows Server 2012 and up. This is just a measure to check if the Collector Machine is indeed reachable.
Open the Local Users and Groups:
Press Win
+ R
then enter lusrmgr.msc
Navigate to Local Users and Groups (Local)
> Groups
:
Right-click Event Log Readers
and select Properties
Select Add...
Select Object Types...
then check the box, Computers
Enter the object names to select
-- "WIN-BO2CT95INDP"
Select Check Names
for good measure.
Select OK
when done.
Open the Event Viewer -- Press Win
+ R
then enter gpedit eventvwr.msc
and on the left panel, right-click on Subscriptions
then select Create Subscription...
Subscription Name
-- Remote Security Logs
Description
-- Security Logs from the Domain Computer, MSEDGEWIN10
Destination log
-- Forwarded Events
Custom logs could be created but Forwarded Events
is selected by default.
Click here to create custom logs.
Select Subscription type and source computers
:
If you choose Collector initiated
, then select Select Computers...
Select Add Domain Computers...
Enter the object name to select
-- "MSEDGEWIN10"
Select Check Names
for good measure.
Select OK
Select Test
for good measure.
Select OK
For Source initiated
, select Select Computer Groups...
then do the following extra steps on the Source Machine
Press Win
+ R
then enter gpedit.msc
Navigate to Computer Management
> Administrative Templates
> Windows Components
> Event Forwarding
Right-click on Configure target Subscription Manager
then select Edit
Choose Enabled
Under Options
, beside SubscriptionManagers
, press Show...
Enter Server= http://win-bo2ct95indp.bossmanben.local:5985 /wsman/SubscriptionManager/WEC, Refresh=30
Press OK
Press OK
Open PowerShell or cmd the run gpupdate /force
For Source initiated
, do the following on the Collector Machine (WIN-BO2CT95INDP)
Open PowerShell or cmd then run wecutil quick-config
Select Select Events...
:
Logged
-- "Any time"
Event level
-- Critical, Error, Information, Warning
Choose By log
-- Windows -> Security
Filter Event IDs -- 4624, 4657, 4688, 4698, 4720, 4722, 4724, 4732, 4738, 4769
Select OK
Select Advanced...
:
User Account
-- Choose Machine Account
Event Delivery Optimization
-- Choose Minimize Latency
Select OK
Select OK
Right-click on the newly created subscription then select Runtime Status
:
Run wevtutil
:
Add the Network Service Account (S-1-5-20) to the channelAccess
field:
WinRM runs under the Network Service Account which had no access to the Security Logs
Go to the Event Viewer:
Press Win
+ R
then enter gpedit eventvwr.msc
On the left panel, go to Subscriptions
then select the recently created subscription
On the right panel, under the subscription name, select Retry
Right-click on the recently created subscription then select Runtime Status
:
An Event with ID 100 (Name="SubscribeSuccess") will appear on Microsoft-Windows-Event-ForwardPlugin/Operational in the Source Machine (MSEDGEWIN10)
Finally, Wait for logs to be sent to the Forwarded Events logs
NOTE(S):
TImestamps are preserved
Log contents are preserved
HOSTNAME
MACHINE IP
OS
REMARKS
MSEDGEWIN10
192.168.150.128
Windows 10 Enterprise Evaluation
Source Machine
WIN-BO2CT95INDP
192.168.150.133
Windows Server 2016
Collector Machine
OPTION
DESCRIPTION
INTERVAL
Normal
Does not conserve bandwidth
15 minutes via pull delivery
Minimize Bandwidth
Bandwidth for delivery is controlled
6 hours via push delivery
Minimize Latency
Delivery with minimal delay
30 seconds via push delivery