October 12, 2021 HAWKEYE

Using Windows Event Forwarding for Centralized Windows Monitoring – Part 3

Reading security logs requires a higher level of permission that other logs. Below are the steps to configure the right permissions for reading security logs.

Configuring permissions to allow reading security logs

  • Create a security string for access to security logs. Run the command wevutil gl security from cmd.

  • Copy the string from the channelAccess line that starts with O:BAG:SYD: and append it with the following string: (A;;0x1;;;NS)

  • From the Group Policy Management Editor, navigate to Computer Configuration>Policies>Admin Templates>Windows Components>Event Log Service>Security> Configure log access

  • Right click on ‘Configure log access’ and click edit
  • Click on “enabled”
  • In the “Log Access” text box, enter the string created by appending to the wevutil command output.

Configure Log Access

  • Click Ok

Configuring Windows Event Forwarding

First, we enable the Windows Event Collector service.

  • Open the ‘Run’ prompt by pressing the Windows Key + R.
  • Type in ‘services.msc’ and click ‘OK’

  • In the ‘Services’ window, scroll down to ‘Windows Event Collector’, right click and select ‘Properties’.
  • Change the ‘Startup Type’ to Automatic (Delayed Start) and click the ‘Start’ button.

Startup type

  • Click ‘OK’

The next step is to create a ‘Subscription’ in the ‘Event Viewer’

  • Open the run prompt again, type in ‘eventvwr’, and click ‘OK’. This opens the Event Viewer window.
  • In the Event Viewer window, right click on ‘Subscriptions’ and select ‘Create Subscription’.

  • Give the subscription a name and select the ‘Source Computer Initiated’ radio button.

  • Click ‘Select Computer Groups’ and select ‘Add Domain Computers’.

Computer Groups

  • In the ‘Enter the object name to select’ text box, enter the computer name and click ‘Check Names’. Once the correct computer name is populated, click ‘OK’.

  • This (unfortunately) needs to be repeated for each computer name from which events are to be forwarded.
  • In the ‘Subscription Properties’ dialog box, click ‘Select Events’. This opens the ‘Query Filter’ dialog box.
  • In the ‘Query Filter’ dialog box, select the Event Level and Event Log options as appropriate.

  • Click ‘OK’ on the ‘Query Filter’ and ‘Subscription Properties’ dialog boxes.

The next step is to configure the WEF subscription server from Group Policy.

  • Open the Group Policy editor again. This can be done from Control Panel as discussed earlier or by typing ‘gpedit.msc’ into the ‘Run’ prompt.
  • From the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding > Configure Target Subscription Manager

  • Right click ‘Configure Target Subscription Manager’ and click ‘Edit’.
  • Change the radio button to enabled.
  • Under ‘Options’, click ‘Show’ and fill in the value in the below syntax.

  • Click ‘OK’ on ‘Show Contents’ and ‘Configure target Subscription Manager’ dialogs.

Verifying that Event Forwarding is working

  • Open Event Viewer as discussed earlier in the article.
  • Click on Windows Logs > Forwarded Events
  • The forwarded events should be populated as below

This post is written by Sandeep Renjith, Cyber Security Analyst at DTS Solution

, , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.