Versions Compared

Old Version 1

changes.mady.by.user Aparna Rr

Saved on

compared with

New Version 2

changes.mady.by.user Aparna Rr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
styledisc
typelist
printabletrue

...

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Google supported Logging Protocol

Log collection method

Windows Event

 WINEVTLOG

Syslog - JSON/XML

 JSON + KV + XML

 CyberHub

Windows Defender AV

WINDOWS_DEFENDER_AV

Syslog - JSON

JSON, XML

CyberHub


Windows Event Log Forwarding (WEF) Overview

WEF is a service that allows you to forward events from multiple Windows servers and collect them in one location. The service has two main components; a forwarder and a receiver. A receiver is a service running on Windows server that collects all events sent to it from an event log forwarder.

The link between the forwarding server and a receiver is known as a subscription.

image-20240828-120257.pngImage Added

Before you get too far…

...

  1. This has been tested with Windows Server 2016,2019, 2022 Datacenter Edition

  2. Best Practices : https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/configure-eventlog-forwarding-performance

  3. All the machines should be part of Active Directory Domain Controller

  4. Group Policy Objects Manager

  5. WinRM - WinRM needs to be running in all the client machine.

  6. Port 5985 should be open in all client as well as receiver machine.

  7. Receiver machine with NXLog Agent Installed.

Windows Language Instructions

Forwarder Machines can be configured to run on different base languages. Each Forwarder machine inside a GPO can have their own native windows language.

Receiver Machine can only be configured in English Language. There should not be any other windows language configured on receiver except English.

Configuring the Event Log Receiver

The first task to perform is configuring one of your Windows Server instances as the Receiver.

...

Code Block
netsh http delete urlacl url=http://+:5985/wsman/
netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
netsh http delete urlacl url=https://+:5986/wsman/
netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)


Starting and Setting up the Subscription on Receiver Machine (Windows Events)

On Receiver Machine, open Event Viewer click Subscriptions. The first time you open the Subscriptions option, Windows will ask if you want to start the Windows Event Log Collector Service and configured to start automatically.

...

Congratulations! You now have a receiver configured. It’s now time set up a GPO which will instruct Windows Server instances to forward events to the receiver. 

Starting and Setting up the Subscription on Receiver Machine (Windows Defender AV Events)

On Receiver Machine, open Event Viewer click on Subscriptions. The first time you open the Subscriptions option, Windows will ask if you want to start the Windows Event Log Collector Service and configured to start automatically.

...

Congratulations! You now have a receiver configured. It’s now time set up a GPO which will instruct Windows Server instances to forward events to the receiver. 

Setting up the Forwarder

Begin by opening up a command prompt as an Administrator in the Forwarder Machine and run the command wevtutil gl security.

...

You can see below an example of the SDDL you’ll need for the Security event log. The channelAccess line represents the permissions set on the event log. Copy the SDDL highlighted below and save it somewhere for later to add to a GPO.

...

Configure the Group Policy Object (GPO )

The next step is to configure one or more Windows servers to begin forwarding event logs to the receiver. The easiest way to do so is by creating a GPO.

...

  1. Now navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding > Configure target subscription manager.

  2. Set the value for the target subscription manager to the WinRM endpoint on the receiver. You will set the Server to be in the format:

Code Block
Server=<http://<FQDN> of the receiver>:5985/wsman/SubscriptionManager/WEC,Refresh=120

...

The Refresh interval at the end of the receiver endpoint. The Refresh interval indicates how often clients should check in to see if new subscriptions are available.

...

Once the GPO is created, you’ll then either link this GPO to an existing OU containing the Windows servers to send event logs from or create a new OU and link the GPO. Any AD computer account you add to this OU will now set up a subscription to the receiver.

 Verifying the WEF Configuration
Once WEF is set up, you should now check to see if the forwarders actually checked in by checking the Source Computers column on the main Subscriptions page.

...

Configure NXLog Agent on Receiver Machine (Windows Events)

NXLog is a snare like agent to forward windows event logs. To get snare format logs from the NXLog agent, do the following:

  1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

  2. Navigate to services.msc and stop the nxlog service.

  3. Go to the folder "C:\Program Files\nxlog\data" and delete the file "configcache.dat" if it present.

  4. Navigate to the installed location " C:\Program Files\nxlog\conf. " Rename the attached NXLOG_WinEvents.conf file to "nxlog.conf" and copy it into this folder.

  5. Replace the placeholder "CyberHub IP" with the actual CyberHub IP in the nxlog.conf file.

  6. Copy the certificate which you obtained from MxDR team to Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 57.

  7. Now, start the nxlog service from services.msc.

  8. NXLog agent logs will be available at the location "C:\Program Files\nxlog\data\nxlog.log".

  9. The log flow should work, and you can check it using tcpdump with the command "tcpdump -AA port 6514"

View file
nameNXLog_WinEvents.conf

Configure NXLog Agent on Receiver Machine (Windows Defender AV Events)

NXLog is a snare like agent to forward windows event logs. To get snare format logs from the NXLog agent, do the following:

  1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

  2. Navigate to services.msc and stop the nxlog service.

  3. Go to the folder "C:\Program Files\nxlog\data" and delete the file "configcache.dat" if it present.

  4. Navigate to the installed location " C:\Program Files\nxlog\conf. " Rename the attached NXLog.conf file to "nxlog.conf" and copy it into this folder.

  5. Replace the placeholder "CyberHub IP" with the actual CyberHub IP in the nxlog.conf file.

  6. Copy the certificate which you obtained from MxDR team to Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 52.

  7. Now, start the nxlog service from services.msc.

  8. NXLog agent logs will be available at the location "C:\Program Files\nxlog\data\nxlog.log".

  9. The log flow should work, and you can check it using tcpdump with the command "tcpdump -AA port 6514"

View file
nameNXLog_WinDef.conf

...