A customer had asked me if it was possible to collect logs centrally using WEC (Windows Event Collection) to reduce the amount of WinRM or Windows Legacy Collectors that were needed. I hadn't heard of WEC so it took me a while to understand it and test it out in a lab.
This post is about what I did to make it work in my lab and see how it works and what limitations it might introduce if its the collection method of choice for some or all Windows events in your environment.
In Short,
Pro: it looks like a simple way to collect logs from assets that might change address regularly (DHCP assets or cloud environments where assets are spun up and torn down frequently) or for specific compliance assets (PCI/SOX).
Con: The logs have the device.ip as the collector not the true source so any alerts that use device.ip will not work as expected. The alias.host and event.computer do reflect the true client system so you could use those instead.
** I can't vouch for the security of what I did to make this work, I'm and SE not a Windows Security expert so if you have found a more secure way to accomplish this please comment and i'll test it out and update the post with details **
WEC can be set up in either collector initiated or source initiated. Collector was chosen for this test.
- Collector machine in this test was Server 2012R2 DC
- Clients were mix of Win7,Win8, Win10, Server 2K8R2
Collector
Computer Management (as admin) > System Tools > Event Viewer > Subscriptions > Create Subscription
Create subscription name
Destination Log: Forwarded Events
Collector Initiated
select Computers > pick the computers from the domain to add to the list or the computer group where they will reside
Events to collect:
select the event logs to collect (App, Sys, Security, Powershell)
Change User account
There was some difficulty in making a service account and accessing the Security Logs so ended up using a machine account and leaving the event delivery as Normal
Now you collection is ready
Clients
Enable WinRM service and network connections to the service by opening cmd.exe (as admin)
winrm qc
select yes to enable service and network ports
Now add the machine account and network service account to allow access to the Security Events
Computer Management (as admin) > local user and groups > groups > event log readers
Add the Network Service Account
Add the machine account the same way for the collector that will be pulling event logs from the client
A reboot of the collector/client was suggested to allow the Network Service account to properly allow access to the event logs
(This could all be accomplished with GPO and pushed out to all machines in a group or domain to make this easier)
Collector - Validate
Computer Management > Event Log > Subscriptions
Select the subscription just created, on the right click Retry and then Runtime Status to see the results of the collection
You will be able to see which clients are reachable and which are not
Now you can take a look at the Forwarded Events log to see which event logs you have collected to make sure your permissions are correct
Hopefully now you have logs being collected from your clients, now all you have to do is configure WinRM to pull events from this collector or add the ForwardedEvents channel to your existing WinRM collection.
If all works out well you should see events like this from your clients
Notes:
- The Device.IP will be the collector computer not the clients
- Alias.host and event.computer will be the true client information
- Any event source monitoring for these forwarded clients may not work properly as the source IP will be the collector and not the clients (which may be a good thing if you have a highly dynamic client environment which is creating issues for the HW policies)
Let me know your thoughts on this and if this is actively being used in the field (or why not)
7 Comments
