This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Logs - Collecting Windows Events with WEC

Logs - Collecting Windows Events with WEC

EricPartington
Employee EricPartington
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2017-01-30 07:02 AM

A customer had asked me if it was possible to collect logs centrally using WEC (Windows Event Collection) to reduce the amount of WinRM or Windows Legacy Collectors that were needed.  I hadn't heard of WEC so it took me a while to understand it and test it out in a lab.

 

This post is about what I did to make it work in my lab and see how it works and what limitations it might introduce if its the collection method of choice for some or all Windows events in your environment.

 

In Short,

Pro: it looks like a simple way to collect logs from assets that might change address regularly (DHCP assets or cloud environments where assets are spun up and torn down frequently) or for specific compliance assets (PCI/SOX).

Con: The logs have the device.ip as the collector not the true source so any alerts that use device.ip will not work as expected.  The alias.host and event.computer do reflect the true client system so you could use those instead.

 

** I can't vouch for the security of what I did to make this work, I'm and SE not a Windows Security expert so if you have found a more secure way to accomplish this please comment and i'll test it out and update the post with details **

 

WEC can be set up in either collector initiated or source initiated.  Collector was chosen for this test.

  • Collector machine in this test was Server 2012R2 DC
  • Clients were mix of Win7,Win8, Win10, Server 2K8R2

Collector

Computer Management (as admin) > System Tools > Event Viewer > Subscriptions > Create Subscription

 

Create subscription name

Destination Log: Forwarded Events

Collector Initiated

select Computers > pick the computers from the domain to add to the list or the computer group where they will reside

Events to collect:

select the event logs to collect (App, Sys, Security, Powershell)

 

Change User account

There was some difficulty in making a service account and accessing the Security Logs so ended up using a machine account and leaving the event delivery as Normal

 

Now you collection is ready

Clients

Enable WinRM service and network connections to the service by opening cmd.exe (as admin)

winrm qc

select yes to enable service and network ports

 

Now add the machine account and network service account to allow access to the Security Events

Computer Management (as admin) > local user and groups > groups > event log readers

Add the Network Service Account

 

 

Add the machine account the same way for the collector that will be pulling event logs from the client

 

A reboot of the collector/client was suggested to allow the Network Service account to properly allow access to the event logs

(This could all be accomplished with GPO and pushed out to all machines in a group or domain to make this easier)

 

Collector - Validate

Computer Management > Event Log > Subscriptions

Select the subscription just created, on the right click Retry and then Runtime Status to see the results of the collection

 

You will be able to see which clients are reachable and which are not

 

Now you can take a look at the Forwarded Events log to see which event logs you have collected to make sure your permissions are correct

 

 

Hopefully now you have logs being collected from your clients, now all you have to do is configure WinRM to pull events from this collector or add the ForwardedEvents channel to your existing WinRM collection.

 

 

 

If all works out well you should see events like this from your clients

 

Notes:

  • The Device.IP will be the collector computer not the clients
  • Alias.host and event.computer will be the true client information
  • Any event source monitoring for these forwarded clients may not work properly as the source IP will be the collector and not the clients (which may be a good thing if you have a highly dynamic client environment which is creating issues for the HW policies)

 

Let me know your thoughts on this and if this is actively being used in the field (or why not)

  • Collection
  • event
  • eventid
  • Logs
  • NetWitness
  • NW
  • NWP
  • rsa
  • RSA NetWitness
  • RSA NetWitness Platform
  • wec
  • Windows
  • winrm
1 Like
Share
7 Comments

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.