Windows Event Forwarding at Scale

 


Windows Event Log Forwarding (WEF) Overview

WEF is a service that allows you to forward events from multiple Windows servers and collect them in one location. The service has two main components; a forwarder and a receiver. A receiver is a service running on Windows server that collects all events sent to it from an event log forwarder.

The link between the forwarding server and a receiver is known as a subscription.

 

image-20240828-120257.png

Before you get too far…

  1. This has been tested with Windows Server 2016,2019, 2022 Datacenter Edition

  2. Best Practices : https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/configure-eventlog-forwarding-performance

  3. All the machines should be part of Active Directory Domain Controller

  4. Group Policy Objects Manager

  5. WinRM - WinRM needs to be running in all the client machine.

  6. Port 5985 should be open in all client as well as receiver machine.

  7. Receiver machine with NXLog Agent Installed.

Windows Language Instructions

Forwarder Machines can be configured to run on different base languages. Each Forwarder machine inside a GPO can have their own native windows language.

Receiver Machine can only be configured in English Language. There should not be any other windows language configured on receiver except English.

Configuring the Event Log Receiver

The first task to perform is configuring one of your Windows Server instances as the Receiver.

Run following commands on the Receiver Machine using PowerShell. Make sure you are running PowerShell as an Administrator.

winrm quickconfig -quiet Set-Service -Name WINRM -StartupType Automatic wevtutil sl forwardedevents /ms:1000000000

Below commands are making sure that machines, servers, workstations can connect to Windows Remote Management for forwarding logs. Run following commands on the Receiver Machine using cmd.exe. Make sure you are running cmd.exe as an Administrator.

netsh http delete urlacl url=http://+:5985/wsman/ netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

 

For Windows Server 2019 and 2022

netsh http delete urlacl url=http://+:5985/wsman/ netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517) netsh http delete urlacl url=https://+:5986/wsman/ netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)


Starting and Setting up the Subscription on Receiver Machine (Windows Events)

On Receiver Machine, open Event Viewer click Subscriptions. The first time you open the Subscriptions option, Windows will ask if you want to start the Windows Event Log Collector Service and configured to start automatically.

Click Yes to accept.

image-20211123-141503 (1).png

Right-click on Subscriptions, then create subscription.

As shown below, select the Source computer initiated option and then click Select Computer Groups. This is where you will select which computers you’d like to forward events from.

Next select the events to forward. Opening up the query filter as you can see below, select Application, Security, System to forward events to the Receiver Machine.

Click Advanced in the Subscription Properties window. Now select Minimize Latency. This setting will ensure the receiver will receive events as soon as possible and also to help it catch up if it gets behind.

Congratulations! You now have a receiver configured. It’s now time set up a GPO which will instruct Windows Server instances to forward events to the receiver.

Starting and Setting up the Subscription on Receiver Machine (Windows Defender AV Events)

On Receiver Machine, open Event Viewer click on Subscriptions. The first time you open the Subscriptions option, Windows will ask if you want to start the Windows Event Log Collector Service and configured to start automatically.

Click Yes to accept.

Right-click Subscriptions, then create subscription.

 

As shown below, select the Source computer initiated option and then click Select Computer Groups. This is where you will select which computers you’d like to forward events from.

Next select the events to forward. Opening up the query filter as you can see below, select Operational and WHC Events from Windows Defender section to forward events to the Receiver Machine.

Click Advanced in the Subscription Properties window. Now select Minimize Latency. This setting will ensure the receiver will receive events as soon as possible and also to help it catch up if it gets behind.

Congratulations! You now have a receiver configured. It’s now time set up a GPO which will instruct Windows Server instances to forward events to the receiver.

Setting up the Forwarder

Begin by opening up a command prompt as an Administrator in the Forwarder Machine and run the command wevtutil gl security.

This will provide various information about the Security event log. But the piece to pay attention to is the channelAccess SDDL.

You can see below an example of the SDDL you’ll need for the Security event log. The channelAccess line represents the permissions set on the event log. Copy the SDDL highlighted below and save it somewhere for later to add to a GPO.

Configure the Group Policy Object (GPO )

The next step is to configure one or more Windows servers to begin forwarding event logs to the receiver. The easiest way to do so is by creating a GPO.

WEF uses the Network Service account to read and send events from a forwarder to a receiver. By default, the Network Service account does not have access to do this. You’ll first need to set this ACL to allow it.

Many of the event logs in Windows Server already provide the Network Service account access to the common event logs like Application and System. But the account is not given access to the Security event log and other custom event logs.

To allow the Network Service account to read event logs on event log forwarders, use a GPO. In this article, you’ll learn how to allow the Network Service account access to the Security event log. Other event logs will follow the same process.

  1. Create a GPO via the Group Policy Management Console. Inside of the GPO, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricting Groups

  2. Right Click on Restricted Groups > Add Group, browse Event Log Readers and add Network Service.

  1. Now navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Windows Remote Management

  2. Define this policy setting to Automatic. Click Apply

  1. Now navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding > Configure target subscription manager.

  2. Set the value for the target subscription manager to the WinRM endpoint on the receiver. You will set the Server to be in the format:

The Refresh interval at the end of the receiver endpoint. The Refresh interval indicates how often clients should check in to see if new subscriptions are available.

Next, find the SDDL you copied earlier from running wevtutil gl security and paste it into the setting Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service > Security > Configure log access.

That this SDDL will take precedence over all other permissions that have been configured for the event log.

You can see an example of what your GPO will look like.

Once the GPO is created, you’ll then either link this GPO to an existing OU containing the Windows servers to send event logs from or create a new OU and link the GPO. Any AD computer account you add to this OU will now set up a subscription to the receiver.

 Verifying the WEF Configuration
Once WEF is set up, you should now check to see if the forwarders actually checked in by checking the Source Computers column on the main Subscriptions page.

Configure NXLog Agent on Receiver Machine (Windows Events)

NXLog is a snare like agent to forward windows event logs. To get snare format logs from the NXLog agent, do the following:

  1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

  2. Navigate to services.msc and stop the nxlog service.

  3. Go to the folder C:\Program Files\nxlog\data and delete the file configcache.dat if it present.

  4. Navigate to the installed location C:\Program Files\nxlog\conf. Rename the attached NXLOG_WinEvents.conf file to nxlog.conf and copy it into this folder.

  5. Replace the placeholder CyberHub IP with the actual CyberHub IP in the nxlog.conf file.

  6. Copy the certificate which you obtained from MxDR team to Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against CAFile on line number 56.

  7. Now, start the nxlog service from services.msc.

  8. NXLog agent logs will be available at the location C:\Program Files\nxlog\data\nxlog.log.

  9. The log flow should work, and you can check it using tcpdump with the command tcpdump -AA port 6514

Configure NXLog Agent on Receiver Machine (Windows Defender AV Events)

NXLog is a snare like agent to forward windows event logs. To get snare format logs from the NXLog agent, do the following:

  1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

  2. Navigate to services.msc and stop the nxlog service.

  3. Go to the folder C:\Program Files\nxlog\data and delete the file configcache.dat if it present.

  4. Navigate to the installed location C:\Program Files\nxlog\conf. Rename the attached NXLog.conf file to nxlog.conf and copy it into this folder.

  5. Replace the placeholder CyberHub IP with the actual CyberHub IP in the nxlog.conf file.

  6. Copy the certificate which you obtained from MxDR team to Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against CAFile on line number 52.

  7. Now, start the nxlog service from services.msc.

  8. NXLog agent logs will be available at the location C:\Program Files\nxlog\data\nxlog.log.

  9. The log flow should work, and you can check it using tcpdump with the command tcpdump -AA port 6514

Add label

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.