Windows Event Fowarder
This lays out how to create a sbuscription (both source and collector initiated) that collects selected forwarded .evtx event logs from a workstation to a domain controller.
SUMMARY
This shows the process of how to create custom .evtx
log files using ecmangen.exe
and other utilities present in the Windows Development Kit. The log file(s) created could be used as a destination log for forwarded events.
ENVIRONMENT:
MACHINES:
HOSTNAME
MACHINE IP
OS
REMARKS
MSEDGEWIN10
192.168.150.128
Windows 10 Enterprise Evaluation
Source Machine
WIN-BO2CT95INDP
192.168.150.133
Windows Server 2016
Collector Machine
The FQDN for WIN-BO2CT95INDP is win-bo2ct95indp.bossmanben.local
ASSUMPTIONS:
1. The Source Machine (MSEDGEWIN10) is part of a Domain Controller (WIN-BO2CT95INDP).
2. This guide uses Security Logs as an example.
3. The steps below will create a subscription that collects Security logs from the Source Machine (MSEDGEWIN10).
PROCEDURE:
1. Start the WinRM service
Open PowerShell on the Source Machine (MSEDGEWIN10):
winrm quickconfig
Add the Collector Machine to the Source Machine's trustedhosts:
Set-Item wsman:localhost/client/trustedhosts 192.168.150.133
Restart the service for changes to take effect:
Restart-Service WinRM
Check if the service is running:
winrm get winrm/config
AllowRemoteAccess = true
signifies that the service is running....omitted... AllowRemoteAccess = true Winrs AllowRemoteShellAccess = true ...omitted...
Test if the Collector Machine (BOSSMANBEN) is reachable using WinRM:
Test-WSMan WIN-BO2CT95INDP
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
WinRM is enabled by default on Windows Server 2012 and up. This is just a measure to check if the Collector Machine is indeed reachable.
ii. Add the Collector Machine to the Event Log Readers groups
In the Source Machine (MSEDGEWIN10):
Open the Local Users and Groups:
Press
Win
+R
then enterlusrmgr.msc
Navigate to
Local Users and Groups (Local)
>Groups
:Right-click
Event Log Readers
and selectProperties
Select
Add...
Select
Object Types...
then check the box,Computers
Enter the object names to select
-- "WIN-BO2CT95INDP"Select
Check Names
for good measure.
Select
OK
when done.
iii. Create Subscriptions using Event Viewer
In the Collector Machine (WIN-BO2CT95INDP):
Open the Event Viewer -- Press Win
+ R
then enter gpedit eventvwr.msc
and on the left panel, right-click on Subscriptions
then select Create Subscription...
Subscription Name
-- Remote Security LogsDescription
-- Security Logs from the Domain Computer, MSEDGEWIN10Destination log
-- Forwarded EventsCustom logs could be created but
Forwarded Events
is selected by default.Click here to create custom logs.
Select
Subscription type and source computers
:If you choose
Collector initiated
, then selectSelect Computers...
Select
Add Domain Computers...
Enter the object name to select
-- "MSEDGEWIN10"Select
Check Names
for good measure.Select
OK
Select
Test
for good measure.Select
OK
For
Source initiated
, selectSelect Computer Groups...
then do the following extra steps on the Source MachinePress
Win
+R
then entergpedit.msc
Navigate to
Computer Management
>Administrative Templates
>Windows Components
>Event Forwarding
Right-click on
Configure target Subscription Manager
then selectEdit
Choose
Enabled
Under
Options
, besideSubscriptionManagers
, pressShow...
Enter
Server= http://win-bo2ct95indp.bossmanben.local:5985 /wsman/SubscriptionManager/WEC, Refresh=30
Press
OK
Press
OK
Open PowerShell or cmd the run
gpupdate /force
For
Source initiated
, do the following on the Collector Machine (WIN-BO2CT95INDP)Open PowerShell or cmd then run
wecutil quick-config
Select
Select Events...
:Logged
-- "Any time"Event level
-- Critical, Error, Information, WarningChoose
By log
-- Windows -> SecurityFilter Event IDs -- 4624, 4657, 4688, 4698, 4720, 4722, 4724, 4732, 4738, 4769
Select
OK
Select
Advanced...
:User Account
-- ChooseMachine Account
Event Delivery Optimization
-- ChooseMinimize Latency
Select
OK
OPTION
DESCRIPTION
INTERVAL
Normal
Does not conserve bandwidth
15 minutes via pull delivery
Minimize Bandwidth
Bandwidth for delivery is controlled
6 hours via push delivery
Minimize Latency
Delivery with minimal delay
30 seconds via push delivery
Select
OK
Right-click on the newly created subscription then select
Runtime Status
:[MSEDGEWIN10.bossmanben.local] - Error - Last retry time: 7/17/2019 8:27:52 PM. Code (0x138C): <f:ProviderFault provider="Event Forwarding Plugin" path="C:\Windows\system32\wevtfwd.dll"
In the Source Machine (WIN-BO2CT95INDP)
Run
wevtutil
:wevtutil get-log Security
name: Security enabled: true type: Admin owningPublisher: isolation: Custom channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\Security.evtx retention: false autoBackup: false maxSize: 20971520 publishing: fileMax: 1
Add the Network Service Account (S-1-5-20) to the
channelAccess
field:wevtutil set-log Security /ca:"O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"
WinRM runs under the Network Service Account which had no access to the Security Logs
Going back to the Collector Machine (WIN-BO2CT95INDP)
Go to the Event Viewer:
Press
Win
+R
then enter gpediteventvwr.msc
On the left panel, go to
Subscriptions
then select the recently created subscriptionOn the right panel, under the subscription name, select
Retry
Right-click on the recently created subscription then select
Runtime Status
:[MSEDGEWIN10.bossmanben.local] - Active - : No additional status.
An Event with ID 100 (Name="SubscribeSuccess") will appear on Microsoft-Windows-Event-ForwardPlugin/Operational in the Source Machine (MSEDGEWIN10)
Finally, Wait for logs to be sent to the Forwarded Events logs
NOTE(S):
TImestamps are preserved
Log contents are preserved
REFERENCES:
- https://www.vkernel.ro/blog/how-to-configure-windows-event-log-forwarding?fbclid=IwAR1bQ9VpgL--PWaqvEWcJBduR3xJ2UnBBhZmO7UGef-NXcKN9PCINZ3gmQ0
- https://www.itprotoday.com/strategy/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and?fbclid=IwAR3ceGoJU-jgkD2U_rVo2FmQee5M0spvE85lZRVw0FHv4YFTphLaX-5JJe8
- https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/?fbclid=IwAR01Puy9Wvr4eCQeV828raqfLesYJwVTw_8EAmDgvJIKYBVWoaT3giv24PA
- https://blogs.technet.microsoft.com/supportingwindows/2016/07/18/setting-up-a-source-initiated-subscription-on-an-event-collector-computer/?fbclid=IwAR2JagIePrComWaIcZknK_92Igakb4_jvnrmJJnGpZlFGnms_2PM7z6trJc
Last updated