Over the last three posts, we’ve looked at Microsoft event logging use cases and identified a set of must-have event IDs. Now we’re ready to put our security policy in place. This blog will walk you through configuring event logging on client workstations, and creating a subscription on a central log collection device.
Centralizing log collection removes the burden of having to log in to individual workstations during investigations. It also provides a way to archive log data for incident response or compliance requirements. Remember: being able to easily correlate activities across multiple hosts is a powerful threat detection and mitigation tool.
Configuring computers in a domain to forward and collect events
All source devices and the collector should be registered in the domain. 1.Enable Windows Remote Management Service on each source computer by typing the following at an administrator command prompt (select Run as Administrator from the Start menu or use the Runas command at a command prompt):winrm quickconfig
Note: It is a best practice to use a domain account with administrative privileges.
Note: Winrm 2.x uses default HTTP port 5985 and default HTTPS port 5986. If you already have a listener but you want to change the port, run this command:
Winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="5985"}
Then change your Windows firewall policy accordingly.
2. Enable the Windows Event Collection service on the collector computer, type the following at an administrative command prompt (select Run as Administrator from the Start menu or use the Run as command at a command prompt):
wecutil qc
3. Configure the Event Log Readers Group Once the commands have been run successfully, go back to the event source computer and open the Computer Management applet from the Server Manager:Click Start Right Click Computer Select Manage
Expand the Local Users and Groups option from the navigation pane and select the Groups folder. Select “Event Log Readers” group, right click and select Add.
In the “Select Users, Computers, Service Accounts or Groups” dialog box, click on the “Object Type” button and select the checkbox for “Computers” and click OK.
Type in the name of the collector computer and click on the “Check Name” button. If the computer account is found, it will be confirmed with an underline.
The computers are now configured to forward and collect events.
4. Create a Subscription A subscription will allow you to specify the events you want to have forwarded to the collector. In the Event Viewer on the collector server, select the Subscriptions. From the Action menu in the right pane, choose the “Create Subscription…” link.
In the Subscription Properties dialog box:
a. Provide a name and description for the subscription. b. Leave the “Destination log” field set to default value of Forwarded Events. c. Choose the first option (“Collector initiated”) for subscription type and then click on Select Computers. d. Click on the “Add Domain Computers…” in the pop-up dialogue box. e. Type the name of the collector server and verify the name. Click OK twice to come back to the Subscription Properties main dialog box. f. In the Events to Collect section, click on the “Select Events…” button to bring up the Query Filter window.
g. Select a time period from the “Logged” drop-down list. For client workstations these may be collected on a daily basis, for critical servers, a more frequent schedule should be deployed.
h. Select types of events (Warning, Error, Critical, Information, and Verbose) by eventID (or pick the event sources you require, but remember to be selective to avoid losing visibility into important events due to excessive “noise.")
i. Click OK to come back to the Subscription Properties main dialog box again.
j. Click on the “Advanced…” button and then in the Advanced Subscription Settings dialog box select the option for “Machine Account” if it’s not already selected.
k. Change the “Event Delivery Optimization” option to “Minimize Latency.”
l. Verify the Protocol ports - ideally keep the default value of HTTP and the Port as 5985.
m. Click OK to go back to the Subscription Properties dialog box and then click OK to close it.
The Subscriptions option in the event viewer should now show the subscription we just created.
5. Verify Events on Collector Computer
Select the Forwarded Events option under Windows Logs in the Event Viewer.
Notes for Workgroups
If you want to set up log forwarding within a workgroup rather than a domain you will need to perform the following tasks in addition to those defined for domains:
- Add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the dialog when creating a subscription on the collector computer. Select Specific User instead of Machine Account (see step 4j). You must also ensure the account is a member of the local Administrators group on each of the source computers.
- Type
winrm set winrm/config/client @{TrustedHosts="<sources>"}<sources>winrm set winrm/config/client @{TrustedHosts="msft*"}on the collector computer. To learn more about this command, typewinrm help config.
Hopefully you have now built a working security policy using Windows Events. In the last blog of this series we will look at combining these events with other telemetry sources in a network by forwarding them to a syslog server or SIEM tool.
