Accenture MDR Quick Start Guide for Windows Event Forwarding at Scale

Windows Event Log Forwarding (WEF) Overview

WEF is a service that allows you to forward events from multiple Windows servers and collect them in one location. The service has two main components; a forwarder and a receiver. A receiver is a service running on Windows server that collects all events sent to it from an event log forwarder.

The link between the forwarding server and a receiver is known as a subscription.

Before you get too far…

  1. This has been tested with Windows Server 2016,2019, 2022 Datacenter Edition.

  2. Best Practices: https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/configure-eventlog-forwarding-performance

  3. All the machines should be part of Active Directory Domain Controller

  4. Group Policy Objects Manager

  5. WinRM - WinRM needs to be running all the client machine.

  6. Port 5985 should be open in all client as well as receiver machine.

  7. Receiver machine with NXLog Agent Installed.

Windows Language Instructions

Forwarder Machines can be configured to run on different base languages. Each Forwarder machine inside a GPO can have their own native windows language.

Receiver Machine can only be configured in English Language. There should not be any other windows language configured on receiver except English.

Configuring the Event Log Receiver

The first task to perform is configuring one of your Windows Server instances as the Receiver.

Run following commands on the Receiver Machine using PowerShell. Make sure you are running PowerShell as an Administrator.

winrm quickconfig -quiet Set-Service -Name WINRM -StartupType Automatic wevtutil sl forwardedevents /ms:1000000000

 

Below commands are making sure that machines, servers, workstations can connect to Windows Remote Management for forwarding logs. Run following commands on the Receiver Machine using cmd.exe. Make sure you are running cmd.exe as an Administrator.

netsh http delete urlacl url=http://+:5985/wsman/ netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

For Windows Server 2019 and 2022

netsh http delete urlacl url=http://+:5985/wsman/ netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517) netsh http delete urlacl url=https://+:5986/wsman/ netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

Starting and Setting up the Subscription on Receiver Machine (Windows Events)

  1. On Receiver Machine, open Event Viewer click on Subscriptions. The first time you open the Subscriptions option, windows will ask if you want to start the Windows Event Log Collector Service and configured to start automatically.

  2. Click Yes to accept.

  1. Right-click on Subscriptions, then create subscription.

  1. As shown below, select the Source computer initiated option and then click Select Computer Groups. This is where you will select which computers you’d like to forward events from.

  1. Next select the events to forward. Opening up the query filter as you can see below, select Application, Security, System to forward events to the Receiver Machine.

  1. Click Advanced in the Subscription Properties window. Now select Minimize Latency. This setting will ensure the receiver will receive events as soon as possible and also to help it catch up if it gets behind.

Congratulations! You now have a receiver configured. It’s now time set up a GPO which will instruct Windows Server instances to forward events to the receiver.

Starting and Setting up the Subscription on Receiver Machine (Windows Defender AV Events)

  1. On Receiver Machine, open Event Viewer click on Subscriptions. The first time you open the Subscriptions option, Windows will ask if you want to start the Windows Event Log Collector Service and configured to start automatically.

  2. Click Yes to accept.

  1. Right-click on Subscriptions, then create subscription.

  1. As shown below, select the Source computer initiated option and then click Select Computer Groups. This is where you will select which computers you’d like to forward events from.

  1. Next select the events to forward. Opening up the query filter as you can see below, select Operational and WHC Events from Windows Defender section to forward events to the Receiver Machine.

 

6. Click Advanced in the Subscription Properties window. Now select Minimize Latency. This setting will ensure the receiver will receive events as soon as possible and also to help it catch up if it gets behind.

Congratulations! You now have a receiver configured. It’s now time set up a GPO which will instruct Windows Server instances to forward events to the receiver.

Setting up the Forwarder

Begin by opening up a command prompt as an Administrator in the Forwarder Machine and run the command wevtutil gl security.

This will provide various information about the Security event log. But the piece to pay attention to is the channelAccess SDDL.

You can see below an example of the SDDL you’ll need for the Security event log. The channelAccess line represents the permissions set on the event log. Copy the SDDL highlighted below and save it somewhere for later to add to a GPO.

Configure the Group Policy Object (GPO)

The next step is to configure one or more Windows servers to begin forwarding event logs to the receiver. The easiest way to do so is by creating a GPO.

WEF uses the Network Service account to read and send events from a forwarder to a receiver. By default, the Network Service account does not have access to do this. You’ll first need to set this ACL to allow it.

Note: Many of the event logs in Windows Server already provide the Network Service account access to the common event logs like Application and System. But the account is not given access to the Security event log and other custom event logs.

To allow the Network Service account to read event logs on event log forwarders, use a GPO. In this article, you’ll learn how to allow the Network Service account access to the Security event log. Other event logs will follow the same process.

  1. Create a GPO via the Group Policy Management Console. Inside of the GPO, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricting Groups

  2. Right Click on Restricted Group > Add Group, Browse Event Log Readers and add Network Service. It should look like this.

 

3. Now navigate to Computer Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Windows Remote Management

  1. Define this policy setting to Automatic. Click on Apply

5. Now navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding > Configure target subscription manager.

  1. Set the value for the target subscription manager to the WinRM endpoint on the receiver. You will set the Server to be in the format:

Server=<http://<FQDN> of the receiver>:5985/wsman/SubscriptionManager/WEC,Refresh=120

Note the Refresh interval at the end of the receiver endpoint. The Refresh interval indicates how often clients should check in to see if new subscriptions are available.

Next, find the SDDL you copied earlier from running wevtutil gl security and paste it into the setting Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service > Security > Configure log access.

This SDDL will take precedence over all other permissions that have been configured for the event log.

You can see an example of what your GPO will look like.

  1. Once the GPO is created, you’ll then either link this GPO to an existing OU containing the Windows servers to send event logs from or create a new OU and link the GPO. Any AD computer account you add to this OU will now set up a subscription to the receiver.

Verifying the WEF Configuration

Once WEF is set up, you should now check to see if the forwarders actually checked in by checking the Source Computers column on the main Subscriptions page.

 

Configure NXLog Agent on Receiver Machine

NXLog is a snare like agent to forward windows event logs. To get snare format logs from the NXLog agent, do the following:

  1. Download and Install NxLog agent from location Download

  2. Go to services.msc and stop the nxlog service

  3. Go to folder C:\Program Files\nxlog\data and delete configcache.dat

  4. Navigate to the installed location C:\Program Files\nxlog\conf. Rename the attached NXLOG_Windows.conf file to nxlog.conf and copy it into this folder.

  5. Replace the placeholder LCP_IP with the actual LCP IP in the nxlog.conf file.

  6. Copy the certificate which you obtained from MxDR team to Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against CAFile on line number 46.

  7. Now, start the nxlog service from services.msc.

  8. NXLog agent logs will be available at the location C:\Program Files\nxlog\data\nxlog.log.

  9. The log flow should work, and you can check it using tcpdump with the command tcpdump -AA port 6514.

Configure NXLog Agent on Receiver Machine (Windows Defender AV Events)

NXLog is a snare like agent to forward windows event logs. To get snare format logs from the NXLog agent, do the following:

  1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

  2. Navigate to services.msc and stop the nxlog service.

  3. Go to the folder C:\Program Files\nxlog\data and delete the file configcache.dat if it present.

  4. Navigate to the installed location C:\Program Files\nxlog\conf. Rename the attached NXLog.conf file to nxlog.conf and copy it into this folder.

  5. Replace the placeholder LCP_IP with the actual LCP IP in the nxlog.conf file.

  6. Copy the certificate which you obtained from MxDR team to Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against CAFile on line number 39.

  7. Now, start the nxlog service from services.msc.

  8. NXLog agent logs will be available at the location C:\Program Files\nxlog\data\nxlog.log.

  9. The log flow should work, and you can check it using tcpdump with the command tcpdump -AA port 6514

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.