Windows Event Logs Centralization

Windows Event Logs Centralization

We always have a requirement to centralized the Event Logs collection so that at one place you can review the logs came from any Windows machine.

So, here are the configuration steps we can use to centralized Event logs management through Windows Event forwarding

Configuring the Event Collector(s)

Configuring Event Collection Services and Windows Firewall

In order for Source Computers to communicate with the Event Collector machine, the correct inbound firewall ports need to be open and accepting connections. In addition, the WinRM and Event Collector services need to be running.

Configuration Steps

1.   On the Event Collector machine open a command prompt (Administrator Mode).

2.   Type winrm quickconfig

Windows Event Logs Centralization

3.   When prompted whether to continue with the configuration type y

This command will check the current configuration and make the necessary changes. Upon completion the following will have been configured:

Windows Remote Management service set to Automatic (Delayed Start) and Started.

Windows Firewall port(s) Windows Remote Management (HTTP-In) Port 5985 configured for inbound communication OR Windows Firewall port(s) Windows Remote Management (HTTP-In) – Compatibility Mode – Port 80 configured for inbound communication.

Configuration steps

4.   Type wecutil qc

2bc6eba08fcba80ddb03a8558ce47544

5.   When prompted whether to continue with the configuration type y

This command will check the current configuration and make the necessary changes. Upon completion the following will have been configured:

                                        Windows Event Collector service set to Automatic (Delayed Start) and Started

Configuring Event Subscriptions

The Windows Event Forwarding architecture stores the subscription definition on the Event

Collector, in order to reduce the number of touch-points in case a subscription needs to be created or modified. The following subscription will be configured so that event source computers retrieve subscriptions from the event collector host (Source-Initiated subscriptions).

Subscriptions are defined on the Event Collector through the new Event Viewer user interface by selecting the Create Subscription action, when the Subscriptions node is highlighted. The Subscription may also be created via the WECUTIL command-line utility.

Configuration Steps

1.   On the Event Collector open the Event Viewer.

2.   Navigate to the Subscriptions node.

3.   From the menu bar, choose Action->Create Subscription…

4.   The Subscriptions Properties dialog will appear:

7b4865163007a1c79065d6dbe981b732

From here, you can specify a name, description, and the destination log (where the events will be collected).

5.   Select Forwarded Events for the destination log.

6.   Choose Source Computer Initiated (as Group Policy configures the Source Computer to contact the Event Collector for subscriptions settings).

NOTE: The Subscription Type can also be configured as Collector initiated. In this case Source Computers will need to be manually added to the Subscription either through the Subscription configuration or the WECUTIL command-line utility (which can also be scripted using PowerShell).

It is recommended that Source computer initiated is used, as this configuration is the most scalable.

7.   Click Select Computer Groups.

8.   Click Add Domain Computers and select the required Source Computers.

f08947d2f294fa1f91abce0184179348

NOTE: It is recommended that a computer group which includes the required computer accounts, such as the Domain Computers group, is added to the subscription.

9.   Click OK on the Computer Groups dialog.

10. Click Select Events.

11. Configure the following Query Filter:

Select the desired Event Level

Select By Log and check Windows Logs to include the all types of windows logs

5d9951fbf89c1148b723bf4634fe1dfd

NOTE: In a production environment it may be advantageous to gather all events from the Application and System logs that have a level of Critical, Error, or Warning. This event scope can be expanded to gather all events from these logs or even add additional logs (like the Security log).

14. Select Minimize Latency.

819df8643f6dc18c44f5529ddd77ea37

NOTE:

Normal

This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes.

Minimize Bandwidth

This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours.

Minimize Latency

This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds.

Protocol

HTTPS can be used to secure the communication channel. However, this requires additional configuration steps and requires the Event Collector to use a certificate, see the appendences for more information.

15. Click OK on the Advanced Subscription dialog.

16. Click OK on the Subscription Properties dialog.

17. You may get some issue while reading the logs. While the source machines forward their logs to the collection server it may show the Error ID 1234 cannot be found:

Description
“The description for Event ID xzy from source xyz cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.”

To fix this issue, use below command in Administrative Command Prompt:

wecutil ss “Subscription Name” /cf:Events

Configuring the Source Computer(s)

Configuring the WinRM Service

In order for Source Computers to communicate with the Event Collector machine the Windows Remote Management (WinRM) service needs to be running on the Source Computers.  WinRM service auto start is necessary for the host to retrieve subscription information from event collectors and send/push event data to the event collector.

The following Group Policy Settings are used to configure WinRM to support Event Forwarding:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services

Configuration Steps

1.   Navigate to the Windows Remote Management (WS-Management) service.

2.   Double click the service.

3.   Check Define this policy setting.

4.   Select the Automatic radio button.

69e05027a48557bc7707b26e3882987d

5.   Click OK.

Configuring the Event Collector(s) Server Address

Group Policy may be used to configure Source Computers (Clients) to forward events to a

collector (or set of collectors). The policy is very simple. It merely tells the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. All of the other subscription details are held on the Event Collector.

The following Group Policy Settings are used to configure event forwarding:

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding\

1f4d0f21e19ec99aebdda8eb89d6f40a

Configuration Steps

1.   Edit the Group Policy Object (GPO) being used.

2.   Configure the Configure the server address… option.

3.   Set this to Enabled.

4.   Click Show, the Subscription Managers dialog will be displayed.

d6df1cea27aa8187b252825701674c7d

5.   Click Add and enter the address of the Event Collector.

Ex:- Server=computer.local

 6.   Click OK.

NOTE: When editing Group Policy settings ensure that the Event Collector(s) and Source Computer(s) are under the management scope of the Group Policy Object being edited

That’s it. Know you can see that all the selected Event logs from Source computer(s) being forwarded to Event Collector Computer.

d325cbda20d750621060a550b99b70d4

Share this…

Ravi Chopra
Scroll to Top