5.2.2 Collection - WEF
-
Windows Event Forwarding (WEF) is a built-in feature of Windows that allows you to collect and forward event logs from multiple Windows devices to a central windows machine. And the SyskeyOT Windows Agent can collect the events from that central windows machine and forward it to the Scribbler.
-
WEF has some complex requirements like ADDS (Active Directory Domain Services), WinRM and https with proper certificates for non-domain computers to work properly.
-
The below procedure explains on how to setup WEF in source-initiated mode. For other types of setups and configuration refer the Microsoft documentation.
Technical Background
-
WEF is a service that allows you to forward events from multiple Windows servers and collect them in one spot. The service has two main components; a forwarder and a collector. A collector is a service running on a Windows server that collects all events sent to it from an event log forwarder.
-
The “link” between the forwarding server and a collector is known as a subscription.
-
Collectors serve as subscription managers that accept events and allow you to specify which event log alerts to collect from endpoints.
Environment & Requirements
-
One Windows Server instance – To act as a collector. Windows Server instance of 2012 R2 or higher.
-
One Windows Server / Client – Windows 10 or Higher
-
Active Directory
-
GPO – A familiarity with Group Policy Objects will be required.
-
WinRM - WinRM needs to be running on all clients.
Step by Step Configuration
Enable WinRM on Server and Client Machines
Refer to the official Microsoft documentation for detailed steps:
Installation and Configuration for Windows Remote Management
Initialize Collector Server
-
Start the Subscription Collector Service on the collector server.
-
Ensure the Collector Service is set to start automatically when Windows Server boots up.
-
On the collector, open Event Viewer → Subscriptions.
- The first time you open the Subscriptions option, Windows will ask if you want to start the Windows Event Log Collector Service and configure it to start automatically.
- Click Yes to accept.
-
The collector is now configured.
Setting up the Forwarders' GPO
-
The next step is to configure one or more Windows servers to begin forwarding event logs to the collector. The easiest way to do so is by creating a GPO (Group Policy Object). This GPO can then be applied to one or more OUs which contain the servers to send events from.
-
WEF uses the Network Service account to read and send events from a forwarder to a collector. By default, the Network Service account does not have access to do this. You'll first need to set this ACL to allow it.
-
Begin by opening up a command prompt and run
wevtutil gl security. This will provide various information about the Security event log. But the piece to pay attention to is thechannelAccess SDDL. -
You can see below an example of the SDDL you'll need for the Security event log. The
channelAccessline represents the permissions set on the event log. Copy the SDDL highlighted below and save it somewhere for later to add to a GPO.
-
Create a GPO via the Group Policy Management Console. Inside of the GPO, navigate to:
Computer Configuration → Policies → Administrative Templates → Windows Components → Event Forwarding → Configure target subscription manager. -
Set the value for the target subscription manager to the WinRM endpoint on the collector.
-
Set the Server to be in the format:
-
Server=http://FQDN of the collector:5985/wsman/SubscriptionManager/WEC,Refresh=60
-
Note: the Refresh interval at the end of the collector endpoint. The Refresh interval indicates how often clients should check in to see if new subscriptions are available.
-
-
Next, find the SDDL you copied earlier from running
wevtutil gl securityand paste it into the setting:
Computer Configuration → Policies → Administrative Templates → Windows Components → Event Log Service → Security → Configure log access.
-
Link the GPO and apply it to the required computers.
Setting up Subscription in Collector Server
-
It is good practice to forward only required events using event filters to reduce noise and traffic to the collector server. That can be achieved through subscription event filters.
-
On the collector, open the Windows Event Viewer and right-click on Subscriptions, then create subscription.
- As shown below, Choose the Destination log as Forwarded Events, And select the Source computer initiated option and then click Select Computer Groups. This is where you will select which computers you’d like to forward events from.
- Next select the events to forward. Open the query filter as shown below, select the required sources and filters condition to forward events to the collector.
-
Click OK to exit from the Query Filter.
-
Click Advanced in the Subscription Properties window. Now select Minimize Latency. This setting will ensure the collector will receive events as soon as possible and to help it catch up if it gets behind.
Verifying the WEF Configuration
-
Once WEF is set up, Check the forwarders are working by checking the Source Computers column on the main Subscriptions page of the collector.
-
Also check the Event Forwarding Plugin Operational log under Applications and Services on the client to make sure everything is working. This is where you’ll see descriptive errors if something has gone awry with Kerberos or firewalls.
- WEF setup is now completed. Now configure the SyskeyOT Windows Agent to collect the logs form the collector server.
Setting up SyskeyOT Windows Agent
-
The WEF collector server stores the all the remote machines events under the “Forwarded events” section of event viewer as shown below.
-
Install the SyskeyOT Windows Agent on the collector server and open the agent.
-
Goto Event Log page as shown below. NOT the Remote Event Log. And add the forwarded events filter as shown below. Refer section How To Set Event Log Filter for more details.
-
The SyskeyOT Agent now reads the collected events and forward that to scribbler as configured.