Figure 1: Finished state of Chapter 1
In this chapter we will:
- Install a new windows server for events to be sent to (or choose an existing suitable server).
- Add some Group Policy Objects (GPOs) to your Active Directory (AD).
- Configuring the Windows Event Collector listener service.
- Configure clients to send logs to this box.
This chapter will cover setting up the in-built Windows functionality for event forwarding. This effectively takes the individual events (such as a file being opened) and sends them to a central machine for processing. This is similar to the setup discussed in this Microsoft blog.
Only a selection of events will be sent from the client's ‘Event Viewer’ to a central ‘Event Collector’. The events will then be uploaded to the database and dashboard in Chapter 3. This chapter will require the clients and event collector to be Active Directory domain joined and the event collector can be either a Windows server or a Windows client operating system.
You will need TCP port 5985 open between the clients and the Windows Event Collector. You also need port 5044 open between the Windows Event Collector and the Linux server.
We recommend that this traffic does not go directly across the Internet, so you should host the Windows Event Collector on the local network, in a similar place to the Active Directory server.
Figure 2: Setting up Group Policy
-
Apply the LME-WEC-Server GPO to the Windows Event Collector only (either using OU filtering, security filtering or WMI filter). You can use the group policy management tool, normally found on your domain controller (or management workstation with Remote Server Administration Tools installed).
- If you are not sure how to do this, here is a step by step guide to GPOs
-
Apply the LME-WEC-Client GPO to a test selection of machines. We recommend that you use a test group of machines rather than your whole estate until you have confirmed the GPO is working as intended - as seen in the Checklist.
-
Edit the LME-WEC-Client GPO “Computer Configuration/Policies/Administrative Templates/Windows Components/Event Forwarding/Configure Target Subscription Manager” and change the FQDN to match your Windows collector box name - this option can be seen in Figure 3 below.
Figure 3: Editing Server Name In Group Policy
It is recommended that you now follow the below steps to restrict access to WinRM to specific IP addresses
Both the LME-WEC-Server and LME-WEC-Client GPOs include a wildcard filter allowing all IP addresses on the host and client to run a WinRM Listener and to receive inbound connections using this protocol. We strongly recommend that this is restricted to IP addresses or ranges specific to your network environment.
An example of this would be if you hosted a LAN with the subnet 192.168.2.0/24, then you could only allows NICs residing within the range 192.168.2.1-192.168.2.254 to run a WinRM listener via the GPO policy.
See Microsoft Document for verification and details: https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management
The filter setting is located at "Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Service/allow remote server management through WinRM"
- Copy the lme_wec_config.xml file to the Windows Event Collector server.
- Run a command prompt as an administrator, change to the directory containing the wec_config.xml file you just copied.
- Run the command
wecutil cs lme_wec_config.xmlwithin the elevated command prompt.
Note if you are using Windows Server 2016 (version 1903 or greater) or Windows Server 2019 you will probably need to apply the Microsoft fix to the Windows collector box
You can find more details about this issue and the commands to run to fix this Here
- On the Windows Event Collector, Run Event Viewer by either Start->Run->eventvwr.exe, or under ‘Windows Administrative Tools’ in the start menu.
- Confirm machines are checking in, as per Figure 3. The 'Source Computers' field should contain the number of machines currently connected.
Figure 4: Event Log Subscriptions