Difference between revisions of "Windows Enable Log Collector"
Michael.mast (talk | contribs) (Created page with "==Creating the collector== I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to<ref>https://www.petri.com/configure-event-log-fo...") |
Michael.mast (talk | contribs) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
==Creating the collector== | ==Creating the collector== | ||
+ | ===Create subscriptions=== | ||
I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to<ref>https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2</ref> | I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to<ref>https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2</ref> | ||
* Subscriptions | * Subscriptions | ||
* Create Subscription | * Create Subscription | ||
* Here I used source initiated and selected domain\Domain Computers as the computer group | * Here I used source initiated and selected domain\Domain Computers as the computer group | ||
+ | ===Server 2016=== | ||
+ | For server 2016 I ran into an issue with builin httpacls. The following<ref>https://support.logbinder.com/SuperchargerKB/50145/All-subscriptions-have-0-active-forwarders-System-Event-IDs-10128-10129</ref> commands in an elevated prompt fixed this issue. Please note I did not dig deep into what this is doing as I am running on little sleep as of this writing. | ||
+ | <pre> | ||
+ | netsh http delete urlacl url=http://+:5985/wsman/ | ||
+ | netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517) | ||
+ | </pre> | ||
+ | ==Configure Clients== | ||
Though it is a good idea to use the collector initiated option for resiliance, I decided to use source initiated for "reasons". Next create a policy that will get applied to all computers in the domain.<ref>https://www.itprotoday.com/compute-engines/configure-windows-event-collectors-gpo-setting</ref> | Though it is a good idea to use the collector initiated option for resiliance, I decided to use source initiated for "reasons". Next create a policy that will get applied to all computers in the domain.<ref>https://www.itprotoday.com/compute-engines/configure-windows-event-collectors-gpo-setting</ref> | ||
* Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding" add the server | * Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding" add the server | ||
Line 10: | Line 18: | ||
server=yourserver.domain.tld | server=yourserver.domain.tld | ||
</pre> | </pre> | ||
+ | ==Moving Event Log Location== | ||
+ | When moving the log file location, make sure to have proper permissions applied. In my case I wanted the forwarded events to be moved to a mounted drive with more space. As this was done I ran into an issue where the logs would not rotate. I was using a domain controller which prevented me from finding the eventlog security group, which was used for the traditional directory. Xcopy was able to replicate the permissions.<ref>https://arstechnica.com/civis/viewtopic.php?p=24521897</reF> | ||
+ | xcopy C:\Windows\System32\winevt\Logs E:\Winevt\Logs /O /T |
Latest revision as of 10:32, 26 June 2019
Contents
Creating the collector
Create subscriptions
I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to[1]
- Subscriptions
- Create Subscription
- Here I used source initiated and selected domain\Domain Computers as the computer group
Server 2016
For server 2016 I ran into an issue with builin httpacls. The following[2] commands in an elevated prompt fixed this issue. Please note I did not dig deep into what this is doing as I am running on little sleep as of this writing.
netsh http delete urlacl url=http://+:5985/wsman/ netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Configure Clients
Though it is a good idea to use the collector initiated option for resiliance, I decided to use source initiated for "reasons". Next create a policy that will get applied to all computers in the domain.[3]
- Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding" add the server
server=yourserver.domain.tld
Moving Event Log Location
When moving the log file location, make sure to have proper permissions applied. In my case I wanted the forwarded events to be moved to a mounted drive with more space. As this was done I ran into an issue where the logs would not rotate. I was using a domain controller which prevented me from finding the eventlog security group, which was used for the traditional directory. Xcopy was able to replicate the permissions.[4]
xcopy C:\Windows\System32\winevt\Logs E:\Winevt\Logs /O /T
- ↑ https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2
- ↑ https://support.logbinder.com/SuperchargerKB/50145/All-subscriptions-have-0-active-forwarders-System-Event-IDs-10128-10129
- ↑ https://www.itprotoday.com/compute-engines/configure-windows-event-collectors-gpo-setting
- ↑ https://arstechnica.com/civis/viewtopic.php?p=24521897