Windows Event Collector orchestration
IntroductionThis blog is one of many in a series that will discuss log collection variants. Today we are going to talk about log collection in Windows Infrastructure. If you’d like to monitor your infrastructure or provide SOC services, you will need to collect a lot of logs from infrastructure to a Log Management Tool or a SIEM system. It’s a really difficult choice about how to run this process. That’s why we are going to share with you some thoughts on this topic, especially what are the known methods of logs collection in Windows Infrastructure, and the pros and cons of them. As we use Splunk as SIEM solution we will describe the method of log collection provided by Splunk. Its grounding on using Splunk universal forwarders, which are installed on every computer which have to be monitored. The main advantages of using this method are:
- Simplicity in configuration – you only need to install it and set the deployment server. Once installed you can manage it remotely from the Splunk deployment server.
- It’s the fastest way to receive logs from your endpoints. It provides a reliable and secure data collection process.
- It is a tool where the data can be consolidated from different types of inputs. So one doesn’t need to worry about the data coming up from different sources and how the data needs to be processed.
- Scalability of Universal Forwarder is very flexible, it can handle tens of thousands of remote systems collecting terabytes of information or data without any problem.
- all events encrypted with Kerberos by default
- subscriptions could be created as XML files and supported with versioning control software such as git
- new endpoints register automatically after connection to the domain
- WEF can be configured with pull or push modes
- sending intervals can be changed.
Event collector service works with subscriptions which are created for events on remote machines. One subscription could be connected to several remote machines, which are sources for events. There is a filter connected to the subscription which determines what types of events will be sent. Event collector service uses WS-Management protocol for its connection with sources and sending logs. Windows Event Forwarder reads all administrative system logs on the endpoints and redirects suitable events to Windows Event Collector. There are two different subscriptions for this case which are published on endpoints.
- baseline WEF subscription – events collected from all hosts, this includes some role-specific events, which can only be produced by those machines
- Targeted WEF subscription – events collected from a limited set of hosts due to unusual activity.
- source-initiated subscriptions determine subscription in WEC without event source assignment. After those several remote computers could be configured with Group policy parameter for events transmitting to WEC. It is useful when there is no necessity to manually configure all computers in your infrastructure.
- collector initiated subscription allows to create subscriptions on events when all computers – events sources are well known. In this case, WEC will take logs from the assigned computer by itself.
As result, you will see the message about successful configuration. The next step is subscription creation. Before that, we have to sort a list of event codes by log types such as Security, System, Setup, Application, etc. All actions should be performed under Administrator account. In addition to this, the Windows Firewall services have to run. So, let’s describe the creation process:
- Open the Event Viewer and go to Subscriptions
- In the right-hand corner choose Create Subscription
3. In Subscription Name field it is recommended to write an informative name such as Critical_Security (we understand that this subscription contain Event Codes which belong to Security logs). 4. In Destination log field chose the Forwarded Events. It determines where the logs will be sent.
5. In Subscription type and source computers choose Source computer initiated, that is if we want to config source initiated type of subscription, as we explain above. After that go to Select Computer Groups tab. 6. With Add Domain Computers and Non-Domain Computers tab add computers which will applied to subscription. Click OK and move back.
7. Open Select Events tab. Here we can configure the filter for Event Codes, specify what Events code we are going to monitor. In By log tab choose the log’s source (in our case its Security). And below specify the necessary Event Codes. Other parameters are additional and you can configure those on your own. Click OK twice.
8. Finally we have a created subscription which can be applied to all specified computers.