Windows Event Fowarder
This lays out how to create a sbuscription (both source and collector initiated) that collects selected forwarded .evtx event logs from a workstation to a domain controller.
Last updated
This lays out how to create a sbuscription (both source and collector initiated) that collects selected forwarded .evtx event logs from a workstation to a domain controller.
Last updated
This shows the process of how to create custom .evtx
log files using ecmangen.exe
and other utilities present in the . The log file(s) created could be used as a destination log for forwarded events.
HOSTNAME
MACHINE IP
OS
REMARKS
MSEDGEWIN10
192.168.150.128
Windows 10 Enterprise Evaluation
Source Machine
WIN-BO2CT95INDP
192.168.150.133
Windows Server 2016
Collector Machine
The FQDN for WIN-BO2CT95INDP is win-bo2ct95indp.bossmanben.local
Open PowerShell on the Source Machine (MSEDGEWIN10):
Add the Collector Machine to the Source Machine's trustedhosts:
Restart the service for changes to take effect:
Check if the service is running:
AllowRemoteAccess = true
signifies that the service is running.
Test if the Collector Machine (BOSSMANBEN) is reachable using WinRM:
WinRM is enabled by default on Windows Server 2012 and up. This is just a measure to check if the Collector Machine is indeed reachable.
Open the Local Users and Groups:
Press Win
+ R
then enter lusrmgr.msc
Navigate to Local Users and Groups (Local)
> Groups
:
Right-click Event Log Readers
and select Properties
Select Add...
Select Object Types...
then check the box, Computers
Enter the object names to select
-- "WIN-BO2CT95INDP"
Select Check Names
for good measure.
Select OK
when done.
Open the Event Viewer -- Press Win
+ R
then enter gpedit eventvwr.msc
and on the left panel, right-click on Subscriptions
then select Create Subscription...
Subscription Name
-- Remote Security Logs
Description
-- Security Logs from the Domain Computer, MSEDGEWIN10
Destination log
-- Forwarded Events
Custom logs could be created but Forwarded Events
is selected by default.
Select Subscription type and source computers
:
If you choose Collector initiated
, then select Select Computers...
Select Add Domain Computers...
Enter the object name to select
-- "MSEDGEWIN10"
Select Check Names
for good measure.
Select OK
Select Test
for good measure.
Select OK
For Source initiated
, select Select Computer Groups...
then do the following extra steps on the Source Machine
Press Win
+ R
then enter gpedit.msc
Navigate to Computer Management
> Administrative Templates
> Windows Components
> Event Forwarding
Right-click on Configure target Subscription Manager
then select Edit
Choose Enabled
Under Options
, beside SubscriptionManagers
, press Show...
Enter Server= http://win-bo2ct95indp.bossmanben.local:5985 /wsman/SubscriptionManager/WEC, Refresh=30
Press OK
Press OK
Open PowerShell or cmd the run gpupdate /force
For Source initiated
, do the following on the Collector Machine (WIN-BO2CT95INDP)
Open PowerShell or cmd then run wecutil quick-config
Select Select Events...
:
Logged
-- "Any time"
Event level
-- Critical, Error, Information, Warning
Choose By log
-- Windows -> Security
Filter Event IDs -- 4624, 4657, 4688, 4698, 4720, 4722, 4724, 4732, 4738, 4769
Select OK
Select Advanced...
:
User Account
-- Choose Machine Account
Event Delivery Optimization
-- Choose Minimize Latency
Select OK
OPTION
DESCRIPTION
INTERVAL
Normal
Does not conserve bandwidth
15 minutes via pull delivery
Minimize Bandwidth
Bandwidth for delivery is controlled
6 hours via push delivery
Minimize Latency
Delivery with minimal delay
30 seconds via push delivery
Select OK
Right-click on the newly created subscription then select Runtime Status
:
Run wevtutil
:
Add the Network Service Account (S-1-5-20) to the channelAccess
field:
WinRM runs under the Network Service Account which had no access to the Security Logs
Go to the Event Viewer:
Press Win
+ R
then enter gpedit eventvwr.msc
On the left panel, go to Subscriptions
then select the recently created subscription
On the right panel, under the subscription name, select Retry
Right-click on the recently created subscription then select Runtime Status
:
An Event with ID 100 (Name="SubscribeSuccess") will appear on Microsoft-Windows-Event-ForwardPlugin/Operational in the Source Machine (MSEDGEWIN10)
Finally, Wait for logs to be sent to the Forwarded Events logs
NOTE(S):
TImestamps are preserved
Log contents are preserved
Click to create custom logs.