HeyJustin, I just did sec555 course ondemand. Getting a different point of view with practical examples is great. This video doesn't help me a ton as my environment in 99% *nix systems, but I am happy to learn as much as I can. Please keep these videos coming. I honestly think you are one of the top minds(if not the top) in the SIEM field, and any knowledge you are willing/able to pass on is appreciated.
Thank you very much! Not sure if it helps but you can technically do a similar approach in *nix systems via syslog relaying. I personally don't like doing it as is rather have syslog point direct to the log service.
Thanks a ton @HASecuritySolutions Thia video really helped me a lot in creating WEF setup smoothly. I have one issue now, i have linked 3 windows severs using policy method as you have provided in steps However, now i could only see the logs from my WEF server to SIEM tool and there are no logs any of the 3 servers linked to WEF? I have selected the option source computer initiated. And used the xPath query, does the xpath only works for the option computer initiated ? Or is there any other issue?
Thanks! One question: does WinRM and the associated WinRM firewall rules in Defender need to be enabled on all clients as well as the Windows Event Collector (WEC)? Specifically, you run "winrm quickconfig -quiet" & "Set-Service -Name WINRM -StartupType Automatic" on the collector during your first steps, but you do not mention that this needs to be compelted for all clients. Another tutorial has me enabling the service and firewall rules via a seperate WinRM Group Policy Object and applying this GPO to all domain comptuers. Without this extra step, I have been unable to get it to work. Maybe you mention this and I overlooked it, but it would be great to hear your input on this issue/topic. Thank you!
many thanks for this! i was testing out some configs on my own but this helps tremendously with making sure i can make recommendations to my engineers for our production config
Thank you very much for this video. I'd like to know about this setup in large environments. Can we setup a VIP in front of multiple WECs and setup GPO on all workstations to forward logs to the VIP, which in turn can forward down to WECs (in a round-robin fashion)? And have SIEM agents on WECs and bring them into SIEM? Is that possible? TIA
Great video! With the pandemic creating so many more opportunities for users to work remotely, how do you deal with getting the windows event logs sent over to the on prem WEC server from remote windows workstations that rarely connect back to the network or to the vpn?
This is a great question that often comes up during our professional service engagements. You can deploy a WEC server with it exposed to the internet (port forwarding to 5985 or 5986 with added double encryption) and it works fine. The 5985 is already encrypted but it there are concerns with traffic from the internet you can add TLS or IPSec as an added layer of protection/authentication. Windows event forwarding works with mutual authentication and encryption
Im using Windows Server 2022, Member servers are not reporting to the Collector. Are there different commands to run and does the GPO need different settings?
Hello! Im not sure if you are still responding to comments but i have a question :( Video cleared lot of things for me, but I didn't understand the part with the group policy. Should I create a seperate Group policy for each WEC? Or shoud I just add other WECs to "subscription manager string"?
Great explanation Justin. Just a quick question here if you do not mind. Could the WEC server be promoted to a domain controller? The thing is, i'm going to to implement this in an environment where i have around 30 DCs distributed over 2 different domains.The purpose of this deployment is to collect specific event IDS from the DCs itself. I'm thinking about applying the GOP over the domain controllers OU. Would that work? and how would you tackle having distributed dcs ship their logs to the same collector?
You could make the collector a domain controller but that's not required to send DC logs to a collector. You can create a gpo targeting your domain controllers and have them forward logs to a collector within their forest
Hello Justin, great video! Thank you. After looking around, I'm unable to find some deeper information. Now I'm wondering if you know... If the Configmode (/cm) is set to "Minimize Bandwidth", what are the following settings set per default for that Configmode? I did not see them being set in the registry. I wonder what Microsoft sets these values too. Thank you. /dmi: Sets the maximum number of items for batched delivery. This option is only valid if /cm is set to Custom. /dmlt: Sets the maximum latency in delivering a batch of events. is the number of milliseconds. This option is only valid if /cm is set to Custom. /hi: Defines the heartbeat interval. is the number of milliseconds. This option is only valid if /cm is set to Custom.
This may help you: social.technet.microsoft.com/Forums/en-US/a4b829d6-3b8d-4952-9925-0fc245a52099/windows-event-collector-subscription-event-delivery-timeframe?forum=winservergen
Brilliant overview of how to set up WEC. Explained very well. I only have one issue with my production environment of 21 servers (all Windows Server 2019), none of them are reporting into the WEC server except the WEC server itself. (Using Source computer Initiated) I've checked all the servers to make sure WinRM is enabled and port 5985 is accessible to WEC server. The WEC GPO is applying on all the 21 servers. The Network Service account has access. Not sure why none of them check in. Has anyone else come across this type of issue?
Justin amazing videos as always. Small question here how about text files collection like iis or DHCP logs. C:\Windows\System32\DHCP and inetpub\logs\LogFiles
Windows event forwarding unfortunately only works with EVTX files/channels. You would still need to grab DHCP, DNS, IIS, etc. logs. You can do some fun tricks with smaller text log files where you use Windows Task Scheduler to run PowerShell. Then PowerShell reads the log file and injects it into a custom EVTX channel. That then gets forwarded
By adding suppression you are telling the endpoints to not read and send the log. Thus, they do not push the log to the collector. This generates less overhead on both the endpoints and the collector. Plus, in some SIEM environments, licensing is based on the total volume of logs that hit the SIEM regardless of what's filter at the SIEM.
@@HASecuritySolutions Thanks for your response and congratulates for this type of engagement, its not normal for a UA-cam channel, respond to questions. Can you point me out to a video series using Sysmon on endpoints?
@@kepenge You just gave me the topic for my next video. I'll create one on deploying Sysmon. It may be next Friday before I post it, but I'll get it done. For now, I highly recommend checking out this: github.com/olafhartong/sysmon-modular The defaults are great and map to MITRE.
In your testing did you ever get "Code (0x8033808F): The client could not start a valid listener to recieve subscription events based on the specified input settings."? I keep hitting this wall no matter what I do when doing source initiated.
You might try opening a command prompt as admin and run the commands in here: docs.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector
Why not just use the filter tab to set up the events you want instead of a adding the custom XML file? You said to “never” use the filter tab. Why not?
The filter tab does not come close to showing the level of granularity you need to select channels with custom filters. The xml tab supports simple and crazy off the wall event filtering or selection
@@webcomment8895 if you need basic capabilities then the standard filter may work. In my experience and use cases, I never use the filter tab as I need the XML for a more selective experience
You need to take this video down because your download links are broken. What good is the class without them? I just wasted a lot of time trying to do this on my servers.
Man, I cant thank you enough. This works. I followed 4-5 different tutorials but none of them worked. Really appreciate your work.
HeyJustin, I just did sec555 course ondemand. Getting a different point of view with practical examples is great. This video doesn't help me a ton as my environment in 99% *nix systems, but I am happy to learn as much as I can. Please keep these videos coming. I honestly think you are one of the top minds(if not the top) in the SIEM field, and any knowledge you are willing/able to pass on is appreciated.
Thank you very much! Not sure if it helps but you can technically do a similar approach in *nix systems via syslog relaying. I personally don't like doing it as is rather have syslog point direct to the log service.
Thanks a ton @HASecuritySolutions
Thia video really helped me a lot in creating WEF setup smoothly.
I have one issue now, i have linked 3 windows severs using policy method as you have provided in steps
However, now i could only see the logs from my WEF server to SIEM tool and there are no logs any of the 3 servers linked to WEF? I have selected the option source computer initiated. And used the xPath query, does the xpath only works for the option computer initiated ? Or is there any other issue?
Thanks! One question: does WinRM and the associated WinRM firewall rules in Defender need to be enabled on all clients as well as the Windows Event Collector (WEC)? Specifically, you run "winrm quickconfig -quiet" & "Set-Service -Name WINRM -StartupType Automatic" on the collector during your first steps, but you do not mention that this needs to be compelted for all clients. Another tutorial has me enabling the service and firewall rules via a seperate WinRM Group Policy Object and applying this GPO to all domain comptuers. Without this extra step, I have been unable to get it to work. Maybe you mention this and I overlooked it, but it would be great to hear your input on this issue/topic. Thank you!
many thanks for this! i was testing out some configs on my own but this helps tremendously with making sure i can make recommendations to my engineers for our production config
I'm glad this helped
This is gold, thanks!
It would be great if the next vid is about feeding from collector to logstash/elastic or to Defender.
Thank you very much for this video. I'd like to know about this setup in large environments. Can we setup a VIP in front of multiple WECs and setup GPO on all workstations to forward logs to the VIP, which in turn can forward down to WECs (in a round-robin fashion)? And have SIEM agents on WECs and bring them into SIEM?
Is that possible?
TIA
Great! one question, does the configuration stay the same for windows 2022 Server?
This is so cool, thanks! I've got it working with your video and now I can do a write-up for my org.
Great video! With the pandemic creating so many more opportunities for users to work remotely, how do you deal with getting the windows event logs sent over to the on prem WEC server from remote windows workstations that rarely connect back to the network or to the vpn?
This is a great question that often comes up during our professional service engagements. You can deploy a WEC server with it exposed to the internet (port forwarding to 5985 or 5986 with added double encryption) and it works fine. The 5985 is already encrypted but it there are concerns with traffic from the internet you can add TLS or IPSec as an added layer of protection/authentication. Windows event forwarding works with mutual authentication and encryption
Im using Windows Server 2022, Member servers are not reporting to the Collector. Are there different commands to run and does the GPO need different settings?
Awesome video! Very informative and detailed. Helped me out a lot
Hello! Im not sure if you are still responding to comments but i have a question :(
Video cleared lot of things for me, but I didn't understand the part with the group policy. Should I create a seperate Group policy for each WEC? Or shoud I just add other WECs to "subscription manager string"?
Great explanation Justin. Just a quick question here if you do not mind. Could the WEC server be promoted to a domain controller? The thing is, i'm going to to implement this in an environment where i have around 30 DCs distributed over 2 different domains.The purpose of this deployment is to collect specific event IDS from the DCs itself. I'm thinking about applying the GOP over the domain controllers OU. Would that work? and how would you tackle having distributed dcs ship their logs to the same collector?
You could make the collector a domain controller but that's not required to send DC logs to a collector. You can create a gpo targeting your domain controllers and have them forward logs to a collector within their forest
Hello Justin, great video! Thank you. After looking around, I'm unable to find some deeper information. Now I'm wondering if you know...
If the Configmode (/cm) is set to "Minimize Bandwidth", what are the following settings set per default for that Configmode? I did not see them being set in the registry. I wonder what Microsoft sets these values too.
Thank you.
/dmi: Sets the maximum number of items for batched delivery. This option is only valid if /cm is set to Custom.
/dmlt: Sets the maximum latency in delivering a batch of events. is the number of milliseconds. This option is only valid if /cm is set to Custom.
/hi: Defines the heartbeat interval. is the number of milliseconds. This option is only valid if /cm is set to Custom.
This may help you:
social.technet.microsoft.com/Forums/en-US/a4b829d6-3b8d-4952-9925-0fc245a52099/windows-event-collector-subscription-event-delivery-timeframe?forum=winservergen
Thank you so much for the videos. Seriously.
Brilliant overview of how to set up WEC. Explained very well. I only have one issue with my production environment of 21 servers (all Windows Server 2019), none of them are reporting into the WEC server except the WEC server itself. (Using Source computer Initiated) I've checked all the servers to make sure WinRM is enabled and port 5985 is accessible to WEC server. The WEC GPO is applying on all the 21 servers. The Network Service account has access. Not sure why none of them check in. Has anyone else come across this type of issue?
Fixed, I rebooted all 21 servers and they are reporting back to WEC as expected.
Justin amazing videos as always. Small question here how about text files collection like iis or DHCP logs.
C:\Windows\System32\DHCP and inetpub\logs\LogFiles
Windows event forwarding unfortunately only works with EVTX files/channels. You would still need to grab DHCP, DNS, IIS, etc. logs. You can do some fun tricks with smaller text log files where you use Windows Task Scheduler to run PowerShell. Then PowerShell reads the log file and injects it into a custom EVTX channel. That then gets forwarded
@@HASecuritySolutions that sounds like an answer straight from sec555.
Excellent video, many thanks!
Hi,
Regarding the suppressed events, its not good idea to forward all the events to the SIEM and conduct the filtering on the SIEM?
By adding suppression you are telling the endpoints to not read and send the log. Thus, they do not push the log to the collector. This generates less overhead on both the endpoints and the collector. Plus, in some SIEM environments, licensing is based on the total volume of logs that hit the SIEM regardless of what's filter at the SIEM.
@@HASecuritySolutions Thanks for your response and congratulates for this type of engagement, its not normal for a UA-cam channel, respond to questions. Can you point me out to a video series using Sysmon on endpoints?
@@kepenge You just gave me the topic for my next video. I'll create one on deploying Sysmon. It may be next Friday before I post it, but I'll get it done. For now, I highly recommend checking out this:
github.com/olafhartong/sysmon-modular
The defaults are great and map to MITRE.
In your testing did you ever get "Code (0x8033808F): The client could not start a valid listener to recieve subscription events based on the specified input settings."? I keep hitting this wall no matter what I do when doing source initiated.
You might try opening a command prompt as admin and run the commands in here:
docs.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector
Where should we run the "maintain_computer_groups.ps1" at? Domain Controller, WEC server?
Thank you sir!! Great info!
This is genius level stuff. Thank you.
Thank you! We try
MASTERPIECE! 💯👌
Amazing explanation, thank you so much!
You're very welcome!
Amazing video
Thank you
@@HASecuritySolutions I searched hard to find this again just to share :D
Why not just use the filter tab to set up the events you want instead of a adding the custom XML file?
You said to “never” use the filter tab. Why not?
The filter tab does not come close to showing the level of granularity you need to select channels with custom filters. The xml tab supports simple and crazy off the wall event filtering or selection
@@HASecuritySolutions What if you are archiving all events in the log or simply don’t need super-granular filtering?
@@webcomment8895 if you need basic capabilities then the standard filter may work. In my experience and use cases, I never use the filter tab as I need the XML for a more selective experience
You need to take this video down because your download links are broken. What good is the class without them? I just wasted a lot of time trying to do this on my servers.