Introduction
As the continuation of the previous article, we are going to share information about the next step in WEC configuration. We will talk about event forwarding background, which services it uses and how to configure them in a proper way.
As we use source initiated type of subscription which was described in detail in the previous article. It allows us to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer.
The forwarding process is based on using winRM services as an essential part of this process. This service was explained in the other article.
So here below we are going to describe the process of configuration event forwarding through winRM service using group policies.
As a result of configuration from the previous article, we have created the subscription to receiving source initiated logs on the WEC computer.
Create a Group Policy
First of all we have to create the new group policy for example ” Forwarding” and apply it to event collector and all end computers which will send logs to WEC machine. After that we have to configure “Forwarding” group policy(GPO).
Add WEC to the special user group
However, there are strict restrictions on users’ roles in windows infrastructure. So for proper work of WEC server, there is a necessity to add it to a certain user group, the members of which have access to read logs
For this we have to perform next actions via GPO edit :
Computer Configurations -> Preferences -> Control Panel Settings -> Local Users and Groups. Click on that and choose to create a group.





- On the end computer open command prompt with administrator privileges and run wevtutil gl security. As a result we will see the current security descriptor. It is located in channelAccess parameter and is described with SDDL (Security Descriptor Definition Language).
Global syntaksis of SDDL:
O:<owner>D:P<permissions >S:P<audit>
Value by default:
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573) - If we are going to allow read access to all network services we have to add next value to the end (A;;0x1;;;S-1-5-20).
- To perform this:
wevtutil sl security
/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

In the group policy editor go to Computer Configurations -> Policies -> Administrative Templates -> Windows Component -> Event Log Service -> Security



Restricted Group creation
As we have previously created new user group Event Log Readers and provided Network services with permissions to read security logs. At this stage, we are going to add NETWORK SERVICE to Event Log Readers group for the possibility to read and forward all logs via winRM.
In the policy editor tab go to Policies -> Windows Settings -> Security Settings -> Restricted Groups. Here we should create a new Restricted Group – BUILTIN\\Event Log Readers.



If there are no problems on previous steps we have a configured all permissions for services and all pre-requirements for log forwarding. At this stage, we are going to configure WinRM services to automatically start and provide all permission to it.
Create a policy to launch WinRM service on computers. Go to Computer Configurations -> Preferences -> Control Panel Settings -> Services here we should create a new service.




Server= http://<Full domain name of WEC machine>:5985/wsman/SubscriptionManager/WEC,Refresh=60





Summary
In this article, we explain how to configure windows event forwarding through Group Policies. We have provided a step-by-step guide about Forwarding Group Policy configuration. The main points are how to run WinRM services for log collection and sending via GPO, how to manage permissions for services to provide access to logs and windows event forwarding mechanism.
Get the Help You Need
Cybersecurity is our core expertise. Let’s get in touch and you will learn more about how UnderDefense can benefit your organization
Next Readers
How does it feel to discover a Zero-day Vulnerability at 21?
Mykhailo Dovhanych, 21, our Pentester has become a local celebrity. He made the digital world a bit safer by discovering a Zero-day vulnerability and getting his first CVE. We asked him a couple of questions to learn more about this exciting story: UnderDefense: What...
SOC 2 Budget Breakdown: How Much Does SOC 2 Cost in 2023?
In a Nutshell SOC 2 Type I and Type II Certification Cost Comparison SOC 2 Type II Cost SOC 2 Type I Cost SOC 2 Certification Cost Breakdown Stage 1. Pre-Assessment Pre-Assessment Supervision SOC 2 Policies Software Licenses and Installations Penetration Test...
UnderDefense reaches the mark of 100 employees
Reaching 100 employees is no small feat and we are thrilled to announce that Underdefense has done just that! We are so proud of the team we've built who are committed to providing top-notch cybersecurity services. If everyone is moving forward together, then success...