Deployment Guide: Windows Event Log Collection

This article is intended for system administrators before installing the data collector for ingesting Windows events to the DataBee Platform. Windows Event Collection (utilizing Windows Event Forwarding) enables administrators to aggregate events from remote computers (or forwarders) into a local event log on a collector computer, retaining all event data and adding extra information related to event forwarding.

Compatibility Matrix

Supported Platforms for Windows systems acting as forwarder(s):    

Supported Platforms for Windows systems acting as collector(s):

Typical Deployments for WEC

Deployment 1:

Deployment 2:

Subscriptions

WEF is a service that enables forwarding administrative and operational event logs from a Windows server to a central location. There are two roles in a WEF setup:    

• the Windows Event Collector (WEC), also known as a Subscription Manager, which is a server configured to receive events;

• the WEF client, also known as a forwarder, which is a machine configured to forward events to the collector.

The link between the two is known as a subscription. The following list describes the types of Windows event subscriptions:

• Source-initiated subscriptions (Recommended): Allows you to define an event subscription on an event collector computer without defining the event source computers. Multiple remote event source computers can then be set up (using a group policy setting) to forward events to the event collector computer. For more information, see Setting up a Source Initiated Subscription. This subscription type is useful when you do not know or you do not want to specify all the event sources computers that will forward events.

• Collector-initiated subscriptions: Allows you to create an event subscription if you know all the event source computers that will forward events. You specify all the event sources at the time the subscription is created. For more information, see Creating a Collector Initiated Subscription.

Collector Configurations

The below configurations are intended for the collector machine, i.e. where the source-initiated subscription will be created to receive the events from forwarder machines.

1. Open the PowerShell as Administrator and run the below commands:

   1. Start the WinRM service:

      winrm quickconfig -quiet

   2. Set the startup type of the service on startup:

      Set-Service -Name WINRM -StartupType Automatic

      Administrators can also set configurations using the sc utility to restart the winrm service automatically on any failure with 1 minute interval.

   3. wevtutil sl forwardedevents /ms:1000000000

2. Open Command Prompt as Administrator and run the below commands for creating and accepting the HTTP/HTTPS based connection on the collector machine.

   1. netsh http delete urlacl url=http://+:5985/wsman/ 

   2. netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517) 

   3. netsh http delete urlacl url=https://+:5986/wsman/

   4. netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

3. To create a source-initiated subscription:

   1. Open the Event Viewer.

   2. Click on the Subscriptions button.

      

   3. Click on the Create Subscription… option under the 'Actions' panel.

      

   4. Configure Subscription Properties.

      1. Provide a Subscription name and Description (optional).

      2. Select Destination log as Forwarded Events. It is recommended to increase the maximum log size of the Forwarded Events channel so that the maximum number of forwarded events can be stored in this channel. To change the maximum log size, right-click on the Forwarded Events channel and click on Properties.

         

      3. Select the Source computer initiated option and click Select Computer Groups….

      4. Click on Add-Domain Computers and add your domain computers which computer logs you need to collect.

         

      5. Click on the Select Events… button beside ‘Event to collect:’ and specify the events to be collected.

         

         It is recommended that all the machines used in Typical Deployment for WEC be configured in the same timezone (preferably UTC).

      6. Click on the Advanced… button and select the User Account(if this option is not available no worries), Event Delivery Optimization, and protocol (HTTP/HTTPS). The recommended protocol is HTTPS.

         

AD / Domain Controller Configurations

The below configurations are intended for the AD domain or domain controller machine where GPO can be created centrally so that all the machines in the same domain can apply the group policy to forward events to the collector machine.

Configure Group Policy

1. Open Group Policy. Right-click on your Domain name and select Create a GPO  on this domain, and Link it here... If a Group Policy Object (GPO) already exists, you can also utilize it for this purpose.

   

2. Assign a name to the GPO.

3. Right-click on the created GPO and click on Edit.

   

4. Navigate to this location Computer Configuration > Policies > Windows Settings > Security Settings > Right Click on Restricted Groups and click on Add Group and type "Event Log Readers" click on OK.

   

5. It will open a new window. On the new window, in the members of this group, click on Add and type "NT AUTHORITY\Network Service", then click on OK and again OK.

   

6. Navigate to this location Computer Configuration > Policies > Windows Settings > Security Settings > System Services. On the right side open the properties of Windows Remote Management and click on Define this policy and also click on Automatic then click on OK.

   

7. Navigate to this location Computer Configuration > Policies > Windows Settings > Administrative Templates > Windows Components Event Forwarding. On the right side, click on Configure Forwarder resource usage, click on Enabled, provide the maximum forwarding rate (event/sec) allowed for the forwarder as per the requirement, and click OK.

   

8. Click on Configure target Subscription Manager, click on Enable, click on Show… button beside the SubscriptionManagers option. For adding the value, use the following syntax when using the HTTPS protocol:

   Server=https://<FQDN of Collector>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>,IssuerCA=<Thumb print of the client authentication certificate>. When using the HTTP protocol, use port 5985.

   

9. Navigate to this location Computer Configuration > Policies > Windows Settings > Administrative Templates > Windows Components > Event Log Service > Security.

10. Enable the “Configure log Access” and mention below text in Log access:

    O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

    

11. Click on Apply. Close all the Group Policy consoles and run the below command on the Domain Controller:

    gpupdate /force

Apply Group Policy

On the central Windows server acting as the domain controller, if all the systems are present under the Organization Unit (OU), you can directly push this GPO setting from the Active Directory server, no need to run the gpupdate command or reboot or each forwarder machine. The steps to be followed are given below.

1. Right-click on OU and then click on Group Policy Update.

   

2. Click on Yes to force update the Group Policy.

   

Alternatively, restart all the Windows endpoints/servers (forwarders) or run the below command on each machine to apply the created GPO immediately:

gpupdate /force