To have your Microsoft Windows server collect logs from other computers, you need to configure event forwarding for each of the source computers, and configure event collection and subscription on the Windows machine that is the designated collector of the events. This page describes the configuration steps required to set up event processing for all of your machines.
Event Collection and Forwarding
To configure domain computers to collect and forward events
-
Log on to all collector and source computers.
Note: It is a best practice to use a domain account with administrative privileges.
-
On the collector computer, launch the Administration console and enter the following command:
wecutil qc
-
On each source computer (every computer where you want to run logs), enter the following at an elevated command prompt:
winrm quickconfig
-
Add the collector computer account to the Event Reader Group, and complete these steps:
- Edit the group configuration through Local Users and Group.
- Add the local computer NETWORK SERVICE account to the Event Log Readers Group.
-
Change the search location for the NETWORK SERVICE account from the domain to local computer.
This allows you to access the Security group channel.
-
Reboot the machine.
Note: If you don't want to reboot, you can read the Security Log without rebooting by entering wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;s-1-5-20) from an Administration console.
Subscription Configuration
Set up the event subscription to receive forwarded events on the collector computer.
To add the subscription
- Log in as administrator on the collector computer.
- Go to Administrator Tools and run Event Viewer.
- In the console tree, click Subscriptions.
- From the Actions menu, click Create Subscription.
- In the Subscriptions Name field, enter the name of the subscription.
- (Optional.) In the Description field, enter a description of the subscription.
-
In the Destination Log list, select the log file in which you want to store collected events.
By default, collected events are stored in the ForwardedEvents log.
- Click Add and select the computers from which to collect events.
- To test connectivity to the source computer, click Test.
- Click Select Events.
-
In the Query Filter dialog box, use the controls to specify the criteria that events must meet to be collected.
To take full advantage of USM Anywhere detection capabilities, LevelBlue recommends the following minimum list of channels:
- Windows Logs → Application
- Windows Logs → Security
- Windows Logs → System
- Application and Services Logs → Microsoft → Windows → AppLocker
- Application and Services Logs → Microsoft → Windows → PowerShell
- Application and Services Logs → Microsoft → Windows → Sysmon
- Application and Services Logs → Microsoft → Windows → Windows Defender
- Application and Services Logs → Microsoft → Windows → Windows Firewall with Advanced Security
- Application and Services Logs → Windows PowerShell
USM Anywhere supports a full list of channels, which allows it to detect a wide array of specific types of attacks on the Windows platform.
-
Under Advanced, select Minimize Latency.
-
In the Subscription Properties dialog box, click OK.
This adds the subscription to the Subscriptions pane and, if the operation was successful, the status of the subscription becomes Active.
-
Right-click the new subscription and select Runtime Status to verify its status.
If you have trouble connecting to the source computer, check that the Windows Firewall on the source computer allows inbound connections on TCP port 5985 from the collector.
-
Launch the Administration console and enter the following command to change the content format:
wecutil ss <subscription-name> /cf:Events
Important: By default, Windows subscriptions use rendered text to format all the events, which the USM Anywhere NXLog BlueApps cannot process. Your forwarded events will not be parsed correctly until this change is made.
-
To test forwarding, create test events using eventcreate on the source computer:
eventcreate /t error /id 100 /l application /d "Custom event in application log"
You can also enable Security Group auditing and Registry auditing on certain sensitive registry keys, such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ PowerShell\1\ShellIds\Microsoft.PowerShell.
Export the Subscriptions
If you are replacing a machine in your network, but you want to run both together for some time without having to reset Event Log Subscriptions manually on the new computer, you can export and re-import all the Event Log Subscriptions settings.
To export subscription configurations
-
From the command line, list the subscriptions:
wecutil es
-
Export the subscriptions:
wecutil gs "<subscriptionname>" /f:xml >>"C:\Temp\<subscriptionname>.xml"
-
Import the subscription:
wecutil cs "<subscriptionname>.xml"
Note: Importing a subscription with a custom QueryList doesn't work.
- (Optional.) To use a custom query list, create a subscription as previously described or import a subscription that uses standard settings.
- Open the subscription and click Select Events.
- Click the XML tab, select Edit query manually, and paste it in your custom QueryList.
- Click OK, then OK again.
Troubleshooting Subscription Configuration Exports
See https://www.itprotoday.com/strategy/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and for basic troubleshooting help.
See https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection#how-frequently-are-wef-events-delivered for a more advanced configuration.