Poor man’s log collection on Windows

by

Introduction

As your organization grows, a lot more log collectors either commercial or freeware are needed to be installed on your network to get logs from different servers running on Windows or *nix.

Let’s say for example this organization called kyle.biz has implemented Arcsight SmartConnectors deployed on Linux servers to get event logs on Windows. And based on my experience, setting up the SmartConnectors is tedious and maintaining them is sometimes a pain.

The limitations were also realized since SmartConnector only gets logs on the server static IPs configured during the installation so there is no way we’ll get the logs from other machines that have dynamic IPs.

Upon research, our team has stumbled upon this article from Microsoft’s documentation page and saw that Windows has already built-in log forwarding feature which is powerful and easy to configure!

So without further ado, let’s now configure the Source Initiated WEC and WEF on our servers! 

Prerequisites

Windows Event Collector

  • OS: Windows Server 2016 
  • Hostname: WEC01.internal.kyle.biz
  • RAM: 16GB
  • CPU: 4 Cores
  • Storage:
    • Drive C:\ – 50GB
    • Drive D:\ – 60GB (we’ll save our forwarded logs here)
  • Joined in a domain.

Windows Event Source

  • OS: Windows Server 2016
  • Hostname: CONSOLESERVER01.internal.kyle.biz
  • Joined in a domain.

WEC Server Configuration

On the following steps, we’ll be configuring our collector server to receive logs which will be initiated by source computers.

Step 1: Open the Event Viewer and click the Subscription.

Step 2: Right-click the Subscription to create a new Subscription. You can also see other actions on the right pane of the window.

Step 3: Enter the subscription name and select the subscription type as Source computer initiated.

Before we proceed in adding computer groups, let’s first configure the events to collect and advanced settings.

Step 4: Click the Select Events then click the manual edit/XML tab then copy the XML format query here: Appendix E – Annotated baseline subscription event query

Step 5: Click OK

Step 6: Click the Advanced Settings then select Minimize Latency.

Step 7: Click OK

Step 8: We’ll now add our domain computers by clicking Select Computer Groups.

Step 9: Since we are joined in a domain, click Add Domain Computers then search for the hostname of the event source. (Ex: CONSOLESERVER01.internal.kyle.biz)

Step 10: Click OK

Step 11: Right-click the Forwarded Events then click on properties

Step 12: Create folder Winenvt\Logs on drive D:\ then replace the log path by entering D:\Winevt\Logs\ForwardedEvents.evtx or refer to the screenshot below.

Event Source Configuration

On the following steps, we’ll be configuring the source computers to forward logs to our collector server.

Step 1: Let’s now configure our event source server machine to point the SubscriptionManagers to our WEC.

Step 2: Open the Local Group Policy then click the Event Forwarding to see the items under that directory.

Step 3: Click the Configure target Subscription Manager and enter on the value

"Server=http://WEC01.internal.kyle.biz.org:5985/wsman/SubscriptionManager/WEC,Refresh=60"

Step 4: Click OK

Step 5: Open Command Prompt then enter gpudate /force to apply the modification in our local group policy.

Step 6: Press Enter

Step 7: Go back to the WEC server then check if the Baseline events already getting logs from our event source machine.

Step 8: We can already see that the events are already forwarded and ready to use for analysis.

So that’s it! I hope you learned something new today and I hope you’ll be using this example to reduce the gap and have greater visibility on your network.

References:

Subscribe for more!

To stay up to date with my latest posts and more InfoSec guides, make sure to subscribe to this blog by entering your email address below.

I promise I won’t be spamming your mailbox. Because no one loves spam. AMIRIGHT?

Leave a Reply