Eric Partington

Logs - Collecting Windows Events with WEC

Blog Post created by Eric Partington Employee on Jan 30, 2017

A customer had asked me if it was possible to collect logs centrally using WEC (Windows Event Collection) to reduce the amount of WinRM or Windows Legacy Collectors that were needed.  I hadn't heard of WEC so it took me a while to understand it and test it out in a lab.

 

This post is about what I did to make it work in my lab and see how it works and what limitations it might introduce if its the collection method of choice for some or all Windows events in your environment.

 

In Short,

Pro: it looks like a simple way to collect logs from assets that might change address regularly (DHCP assets or cloud environments where assets are spun up and torn down frequently) or for specific compliance assets (PCI/SOX).

Con: The logs have the device.ip as the collector not the true source so any alerts that use device.ip will not work as expected.  The alias.host and event.computer do reflect the true client system so you could use those instead.

 

** I can't vouch for the security of what I did to make this work, I'm and SE not a Windows Security expert so if you have found a more secure way to accomplish this please comment and i'll test it out and update the post with details **

 

WEC can be set up in either collector initiated or source initiated.  Collector was chosen for this test.

  • Collector machine in this test was Server 2012R2 DC
  • Clients were mix of Win7,Win8, Win10, Server 2K8R2

Collector

Computer Management (as admin) > System Tools > Event Viewer > Subscriptions > Create Subscription

 

Create subscription name

Destination Log: Forwarded Events

Collector Initiated

select Computers > pick the computers from the domain to add to the list or the computer group where they will reside

Events to collect:

select the event logs to collect (App, Sys, Security, Powershell)

 

Change User account

There was some difficulty in making a service account and accessing the Security Logs so ended up using a machine account and leaving the event delivery as Normal

 

Now you collection is ready

Clients

Enable WinRM service and network connections to the service by opening cmd.exe (as admin)

winrm qc

select yes to enable service and network ports

 

Now add the machine account and network service account to allow access to the Security Events

Computer Management (as admin) > local user and groups > groups > event log readers

Add the Network Service Account

 

 

Add the machine account the same way for the collector that will be pulling event logs from the client

 

A reboot of the collector/client was suggested to allow the Network Service account to properly allow access to the event logs

(This could all be accomplished with GPO and pushed out to all machines in a group or domain to make this easier)

 

Collector - Validate

Computer Management > Event Log > Subscriptions

Select the subscription just created, on the right click Retry and then Runtime Status to see the results of the collection

 

You will be able to see which clients are reachable and which are not

 

Now you can take a look at the Forwarded Events log to see which event logs you have collected to make sure your permissions are correct

 

 

Hopefully now you have logs being collected from your clients, now all you have to do is configure WinRM to pull events from this collector or add the ForwardedEvents channel to your existing WinRM collection.

 

 

 

If all works out well you should see events like this from your clients

 

Notes:

  • The Device.IP will be the collector computer not the clients
  • Alias.host and event.computer will be the true client information
  • Any event source monitoring for these forwarded clients may not work properly as the source IP will be the collector and not the clients (which may be a good thing if you have a highly dynamic client environment which is creating issues for the HW policies)

 

Let me know your thoughts on this and if this is actively being used in the field (or why not)

Outcomes