Setting up Windows Event Forwarder Server (WEF) (Domain) – GPO Deployment Part 3/3

Now that you have setup a Windows Event Forwarder collector + Sysmon subscriptions, you are now ready to collect these logs from your endpoint.

We will now create a group policy and deploy it to our systems.

Prerequisites:

  • Create computer OU for GPO deployment (WEF Deployment)

Creating GPO

Step 1: Create WinRM Service and set it to start automatically

Launch your group policy utility and perform the following:

  1. Right click your computer OU and
  2. Create GPO in this domain, and link it here
  3. Provide a name (WEF Deployment) , click OK
  4. Right click your newly created GPO WEF Deployment and select Edit
  5. Navigate to Computer Configuration > Preferences > Control Panel Settings > “New > Service”
    Startup: AutomaticService
    Name: WinRMService
    Action: Start service
    Click Apply

Step 2: Provide Event Log Reader Access

In this step we will add the Network Service & Event Forwarder Server (WindowsLogCollector) to the Event Log Readers and Groups. This will give our WEF server (WindowsLogCollector) access to your domain endpoint event logs.

  1. Right click your WEF Deployment GPO and select Edit
  2. Computer Configuration > Preferences > Control Panel Settings > right click > “New Group”
    Action: Update
    Group Name: Event Log Readers
    Members: NETWORK SERVICE
    Domain\WindowsLogCollector$
    Apply > OK

Step 3: Adding WEF Server Subscription address
This will allow our endpoints to enroll to our WindowsLogCollector subscriptions.

  1. Right click your WEF Deployment GPO and select Edit
  2. Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager >
  3.  Set to EnableShow: Server=http://WindowsLogCollector.domain.COM:5985/wsman/SubscriptionManager/WEC

Click OK

Step 4: Allow Remote server Management through WinRM

  1. Right click your WEF Deployment GPO and select Edit
  2. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRMService > Allow Remote Server Management through WinRM
    Set: EnableiPv4 Filter: *   (or you may enter just the IP address of your WindowsLogCollector)
    IpV6 Filter: *  (you may uncheck this)
    OK

 

We are now done!

Go back to your WindowsLogCollector server and browse to the Event Viewer, you should see the endpoints start to register and logs under Fowarded Events.

(Note: This might take up to 90 min depending on how often our GPO refreshes. You may want to run gpupdate /force on your endpoints to refresh group policy and receive these changes immediately. Additionally, it may take up to 15 minutes for your endpoints to receive a subscription updates whenever you add or remove an event ID when creating Subscriptions. You may restart the Windows Remote Management (WS-Management) (WinRM) service to trigger the request to our WEF server and receive the update instantly).

Important Note: If you are collecting Security logs, once your endpoint gets the subscription settings, you will need to restart that particular endpoint so the permissions apply and allow you to collect security logs. Otherwise you will be frustrated about not receiving Security Event logs.

Additionally, since you want to collect all endpoint logs, it would be useful to deploy Sysmon to all of your endpoints as well, you may follow this guide on how to accomplish this.

Next steps are to setup Elasticsearch and ship these WEF logs there and visualize them in Kibana.

Let me know if you have any questions.

 

7 thoughts on “Setting up Windows Event Forwarder Server (WEF) (Domain) – GPO Deployment Part 3/3

  1. Where did you learn to manage Windows like WEF, log management? self learning or some training. Just wondering the best resource, books if you can recommend.

    1. I’ve worked with SIEM solutions before, and log aggregators like SPLUNK. They all have their own “agents” they use. I’d figure Windows must have a way to collect all logs on Domain-endpoints so I just did my research and found WEF. The rest is trial-and-error.

  2. Do you have a dedicated server to collect forwarded event logs?

    I am curious how to make it work work elasticsearch and kibana. Will you be writing a follow up in the near future?

  3. Hi Pablo Delgado,

    Thanks for the explanation,

    Previously i have worked with the following guide in order to collect windows event logs to a collector server, now i would like to bring sysmon logs too. I have installed sysmon on the clients and on the collector server and created subscription, sysmon logs properly created at the clients machine but unfortunately they do not arrive to the collector server under forwarded events, did you encounter that before?

    https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

Leave a Reply