Difference between revisions of "Windows Enable Log Collector"

From Michael's Information Zone
Jump to navigation Jump to search
 
Line 18: Line 18:
 
server=yourserver.domain.tld
 
server=yourserver.domain.tld
 
</pre>
 
</pre>
 +
==Moving Event Log Location==
 +
When moving the log file location, make sure to have proper permissions applied. In my case I wanted the forwarded events to be moved to a mounted drive with more space. As this was done I ran into an issue where the logs would not rotate. I was using a domain controller which prevented me from finding the eventlog security group, which was used for the traditional directory. Xcopy was able to replicate the permissions.<ref>https://arstechnica.com/civis/viewtopic.php?p=24521897</reF>
 +
xcopy C:\Windows\System32\winevt\Logs E:\Winevt\Logs /O /T

Latest revision as of 10:32, 26 June 2019

Creating the collector

Create subscriptions

I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to[1]

  • Subscriptions
  • Create Subscription
  • Here I used source initiated and selected domain\Domain Computers as the computer group

Server 2016

For server 2016 I ran into an issue with builin httpacls. The following[2] commands in an elevated prompt fixed this issue. Please note I did not dig deep into what this is doing as I am running on little sleep as of this writing. 

netsh http delete urlacl url=http://+:5985/wsman/

netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

Configure Clients

Though it is a good idea to use the collector initiated option for resiliance, I decided to use source initiated for "reasons". Next create a policy that will get applied to all computers in the domain.[3]

  • Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding" add the server
server=yourserver.domain.tld

Moving Event Log Location

When moving the log file location, make sure to have proper permissions applied. In my case I wanted the forwarded events to be moved to a mounted drive with more space. As this was done I ran into an issue where the logs would not rotate. I was using a domain controller which prevented me from finding the eventlog security group, which was used for the traditional directory. Xcopy was able to replicate the permissions.[4]

xcopy C:\Windows\System32\winevt\Logs E:\Winevt\Logs /O /T

  1. https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2
  2. https://support.logbinder.com/SuperchargerKB/50145/All-subscriptions-have-0-active-forwarders-System-Event-IDs-10128-10129
  3. https://www.itprotoday.com/compute-engines/configure-windows-event-collectors-gpo-setting
  4. https://arstechnica.com/civis/viewtopic.php?p=24521897
Retrieved from "https://wiki.1701technology.com/index.php?title=Windows_Enable_Log_Collector&oldid=1142"