Difference between revisions of "Windows Enable Log Collector"

From Michael's Information Zone
Jump to navigation Jump to search
(Created page with "==Creating the collector== I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to<ref>https://www.petri.com/configure-event-log-fo...")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 
==Creating the collector==
 
==Creating the collector==
 +
===Create subscriptions===
 
I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to<ref>https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2</ref>
 
I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to<ref>https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2</ref>
 
* Subscriptions
 
* Subscriptions
 
* Create Subscription
 
* Create Subscription
 
* Here I used source initiated and selected domain\Domain Computers as the computer group
 
* Here I used source initiated and selected domain\Domain Computers as the computer group
 +
===Server 2016===
 +
For server 2016 I ran into an issue with builin httpacls. The following<ref>https://support.logbinder.com/SuperchargerKB/50145/All-subscriptions-have-0-active-forwarders-System-Event-IDs-10128-10129</ref> commands in an elevated prompt fixed this issue. Please note I did not dig deep into what this is doing as I am running on little sleep as of this writing.
 +
<pre>
 +
netsh http delete urlacl url=http://+:5985/wsman/
  
 +
netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
 +
</pre>
 +
==Configure Clients==
 
Though it is a good idea to use the collector initiated option for resiliance, I decided to use source initiated for "reasons". Next create a policy that will get applied to all computers in the domain.<ref>https://www.itprotoday.com/compute-engines/configure-windows-event-collectors-gpo-setting</ref>
 
Though it is a good idea to use the collector initiated option for resiliance, I decided to use source initiated for "reasons". Next create a policy that will get applied to all computers in the domain.<ref>https://www.itprotoday.com/compute-engines/configure-windows-event-collectors-gpo-setting</ref>
 
* Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding" add the server
 
* Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding" add the server
Line 10: Line 18:
 
server=yourserver.domain.tld
 
server=yourserver.domain.tld
 
</pre>
 
</pre>
 +
==Moving Event Log Location==
 +
When moving the log file location, make sure to have proper permissions applied. In my case I wanted the forwarded events to be moved to a mounted drive with more space. As this was done I ran into an issue where the logs would not rotate. I was using a domain controller which prevented me from finding the eventlog security group, which was used for the traditional directory. Xcopy was able to replicate the permissions.<ref>https://arstechnica.com/civis/viewtopic.php?p=24521897</reF>
 +
xcopy C:\Windows\System32\winevt\Logs E:\Winevt\Logs /O /T

Latest revision as of 10:32, 26 June 2019

Creating the collector

Create subscriptions

I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to[1]

  • Subscriptions
  • Create Subscription
  • Here I used source initiated and selected domain\Domain Computers as the computer group

Server 2016

For server 2016 I ran into an issue with builin httpacls. The following[2] commands in an elevated prompt fixed this issue. Please note I did not dig deep into what this is doing as I am running on little sleep as of this writing.

netsh http delete urlacl url=http://+:5985/wsman/

netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

Configure Clients

Though it is a good idea to use the collector initiated option for resiliance, I decided to use source initiated for "reasons". Next create a policy that will get applied to all computers in the domain.[3]

  • Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding" add the server
server=yourserver.domain.tld

Moving Event Log Location

When moving the log file location, make sure to have proper permissions applied. In my case I wanted the forwarded events to be moved to a mounted drive with more space. As this was done I ran into an issue where the logs would not rotate. I was using a domain controller which prevented me from finding the eventlog security group, which was used for the traditional directory. Xcopy was able to replicate the permissions.[4]

xcopy C:\Windows\System32\winevt\Logs E:\Winevt\Logs /O /T