As the continuation of the previous article, we are going to share information about the next step in WEC configuration. We will talk about event forwarding background, which services it uses and how to configure them in a proper way.
As we use source initiated type of subscription which was described in detail in the previous article. It allows us to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer.
The forwarding process is based on using winRM services as an essential part of this process. This service was explained in the other article.
So here below we are going to describe the process of configuration event forwarding through winRM service using group policies.
As a result of configuration from the previous article, we have created the subscription to receiving source initiated logs on the WEC computer.
First of all we have to create the new group policy for example ” Forwarding” and apply it to event collector and all end computers which will send logs to WEC machine. After that we have to configure “Forwarding” group policy(GPO).
However, there are strict restrictions on users’ roles in windows infrastructure. So for proper work of WEC server, there is a necessity to add it to a certain user group, the members of which have access to read logs
For this we have to perform next actions via GPO edit :
Computer Configurations -> Preferences -> Control Panel Settings -> Local Users and Groups. Click on that and choose to create a group.
- On the end computer open command prompt with administrator privileges and run wevtutil gl security. As a result we will see the current security descriptor. It is located in channelAccess parameter and is described with SDDL (Security Descriptor Definition Language).
Global syntaksis of SDDL:
Value by default:
- If we are going to allow read access to all network services we have to add next value to the end (A;;0x1;;;S-1-5-20).
- To perform this:
wevtutil sl security
In the group policy editor go to Computer Configurations -> Policies -> Administrative Templates -> Windows Component -> Event Log Service -> Security
As we have previously created new user group Event Log Readers and provided Network services with permissions to read security logs. At this stage, we are going to add NETWORK SERVICE to Event Log Readers group for the possibility to read and forward all logs via winRM.
In the policy editor tab go to Policies -> Windows Settings -> Security Settings -> Restricted Groups. Here we should create a new Restricted Group – BUILTIN\\Event Log Readers.
If there are no problems on previous steps we have a configured all permissions for services and all pre-requirements for log forwarding. At this stage, we are going to configure WinRM services to automatically start and provide all permission to it.
Create a policy to launch WinRM service on computers. Go to Computer Configurations -> Preferences -> Control Panel Settings -> Services here we should create a new service.
Server= http://<Full domain name of WEC machine>:5985/wsman/SubscriptionManager/WEC,Refresh=60
In this article, we explain how to configure windows event forwarding through Group Policies. We have provided a step-by-step guide about Forwarding Group Policy configuration. The main points are how to run WinRM services for log collection and sending via GPO, how to manage permissions for services to provide access to logs and windows event forwarding mechanism.
Get the Help You Need
Cybersecurity is our core expertise. Let’s get in touch and you will learn more about how UnderDefense can benefit your organization
Penetration Testing cost.What is the price to avoid bad surprisesBy Iryna YamborskaLet me guess: if you are here - you need a pentest. Customers ask you about pentest, or it is a compliance requirement. Or you are the one who takes care of the state of security of the...
Healthcare ecosystem: Strategies to improve CybersecurityBy Nataly DziobaHealthcare institutions, large and small, have always been a prime target for cybercrime. Lately, healthcare is transitioning from its traditional focus of disease, accidents, etc., toward the...
How to detect CobaltStrike Command & Control communicationBy Bogdan VennykCobaltStrike became part of the Cybercrime’s “toolset” almost in every Company breach. This growth is explained by the fact that CobaltStrike was leaked multiple times and became more...