Windows Enable Log Collector

From Michael's Information Zone
Jump to navigation Jump to search

Creating the collector

Create subscriptions

I chose a low volume Windows Server 2016 instance in AWS as the collector. Under event Viewer go to[1]

  • Subscriptions
  • Create Subscription
  • Here I used source initiated and selected domain\Domain Computers as the computer group

Server 2016

For server 2016 I ran into an issue with builin httpacls. The following[2] commands in an elevated prompt fixed this issue. Please note I did not dig deep into what this is doing as I am running on little sleep as of this writing. 

netsh http delete urlacl url=http://+:5985/wsman/

netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

Configure Clients

Though it is a good idea to use the collector initiated option for resiliance, I decided to use source initiated for "reasons". Next create a policy that will get applied to all computers in the domain.[3]

  • Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding" add the server
server=yourserver.domain.tld
  1. https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2
  2. https://support.logbinder.com/SuperchargerKB/50145/All-subscriptions-have-0-active-forwarders-System-Event-IDs-10128-10129
  3. https://www.itprotoday.com/compute-engines/configure-windows-event-collectors-gpo-setting
Retrieved from "https://wiki.1701technology.com/index.php?title=Windows_Enable_Log_Collector&oldid=1138"