Full Report
Derek Banks // I want to expand on our previous blog post on consolidated endpoint event logging and use Windows Event Forwarding and live off the Microsoft land for shipping […] The post End-Point Log Consolidation with Windows Event Forwarder appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Windows Event Forwarding (WEF) for Centralized Log Consolidation
## Overview
These practices detail the setup and utilization of Windows Event Forwarding (WEF) to consolidate security and operational event logs from endpoints onto a central collector server. This approach eliminates the need for endpoint agents, utilizes native Windows functionality (WinRM/WEC), and supports subsequent analysis via local tools (PowerShell) or shipping to external SIEM platforms like ELK.
## Key Recommendations
### Immediate Actions
1. **Establish Collector Server Prerequisites:** On the designated Windows Event Collector (WEC) server, immediately execute `winrm qc` to start the WinRM service and configure auto-start, and execute `wecutil qc` to configure the Windows Event Collector service and register its Service Principal Name (SPN).
2. **Initial Group Scoping:** Create an initial, small Active Directory security group containing only the target endpoints you wish to monitor initially (e.g., a test group) rather than immediately targeting "Domain Computers."
3. **Subscribe for Essential Logs:** On the WEC server, create a subscription named "Security Log Cleared" (or similar). Set the destination log to "Forwarded Events," select "Source computer initiated," and configure it to collect the **Security log** from the test computer group.
### Short-term Improvements (1-3 months)
1. **Deploy WEF Configuration via GPO:** Create a central Group Policy Object (GPO) named "Windows Event Forwarding" to enforce configuration settings across all domain members.
2. **Configure Subscription Manager Address:** Within the GPO, navigate to `Computer Configuration>Policies>Administrative Templates>Windows Components>Event Forwarding`. Enable and configure the **Configure target Subscription Manager entry** using the format: `Server=http://eventserver.domain.local:5985/wsman/SubscriptionManager/WEC,Refresh=60` (adjusting the server FQDN accordingly).
3. **Ensure WinRM Service Startup:** Configure the WinRM service (`Windows Remote Management (WS-Management)`) on all forwarding endpoints via GPO preference (`Computer Configuration>Preferences>Control Panel Settings>Services` set to Automatic (Delayed Start) and Action set to Start Service).
4. **Enable Local Service Access:** Configure settings via GPO to allow the **Local Network Service** account to access local event logs on the forwarding endpoints.
5. **Forward Critical Security Telemetry:** Configure specific GPOs/Subscriptions to ensure collection of high-value logs, specifically: **Authentication events, PowerShell Module Logging, PowerShell Script Block Logging, and all Sysmon Operational Logs.**
### Long-term Strategy (3+ months)
1. **Integrate with SIEM:** Implement an agent like **nxlog** on the central WEC server to forward the consolidated "Forwarded Events" (and potentially other local logs) to an upstream ELK stack or other SIEM solution to leverage visualization and advanced hunting capabilities.
2. **Review SPN Conflicts:** Periodically verify or establish procedures for checking Service Principal Name (SPN) registration conflicts on the collector server using `setspn -t -q */*`, especially if reusing existing infrastructure.
3. **Implement Encryption (HTTPS):** Transition the WEF configuration from HTTP (port 5985) to **HTTPS** (port 5986) for encrypted transport if data security requirements mandate end-to-end confidentiality for forwarded traffic.
## Implementation Guidance
### For Small Organizations
* Use a dedicated, modest Windows Server for the WEC role.
* Initially point the Subscription Manager GPO entry directly to the FQDN of the single collector server.
* Start by monitoring only Security and Application logs for initial validation before expanding to verbose logs like Sysmon.
### For Medium Organizations
* Utilize domain security groups to segment endpoints (e.g., Servers, Workstations, Sensitive Assets) before creating corresponding WEF subscriptions for granular control.
* If an existing server is used for the WEC role, meticulously check for SPN conflicts that could prevent **wecutil qc** from registering the required Service Principal Name for Kerberos authentication.
### For Large Enterprises
* Plan for high log volume by sizing the WEC server appropriately based on the number of events collected, scaling resources as requirements change.
* Consider deploying redundant WEC collectors or utilizing load-balancing mechanisms for higher availability.
* Establish rigorous GPO management to ensure consistent application of WEF and auditing configurations across diverse organizational units.
## Configuration Examples
| Component | Command/Configuration Detail | Location/Guidance |
| :--- | :--- | :--- |
| **Enable WEC/WinRM on Collector** | 1. `C:>winrm qc` 2. `C:>wecutil qc` | Run on the WEC server. |
| **Subscription Manager (GPO)** | `Server=http://eventserver.domain.local:5985/wsman/SubscriptionManager/WEC,Refresh=60` | Configure under Event Forwarding Admin Templates. |
| **Turn on WinRM Service (GPO)** | Service action: Start Service; Service Name: WinRM; Startup: Automatic (Delayed Start) | Configure via GPO Preferences > Control Panel Settings > Services. |
| **Shipping to ELK** | Install **nxlog** on the WEC server and modify its configuration file to target the Elastic stack inputs. | Requires external configuration files referenced in source material. |
## Compliance Alignment
* **NIST SP 800-92 (Guide to Computer Security Log Management):** Achieves centralized collection and long-term retention requirements for security monitoring.
* **CIS Benchmarks (Windows Server/Client):** Supports security hygiene by collecting native security artifacts necessary for configuration auditing and anomaly detection.
* **General SIEM Requirements:** Forms the foundation of a centralized visibility architecture suitable for meeting various regulatory logging demands.
## Common Pitfalls to Avoid
* **Ignoring SPN Issues:** Failure to ensure ONLY the WEC server has the necessary Kerberos SPN registered for the WEC service can cause authentication failures. Check with `setspn -t -q */*`.
* **Over-Scoping Initial Subscriptions:** Do not initially subscribe "All Computers" to all log types; start small to manage unexpected volume issues and configuration errors.
* **Forgetting Endpoint Prerequisites:** Neglecting to enable the WinRM service (via GPO or manually) on the *endpoints* prevents them from communicating with the collector, even if the collector is correctly configured.
## Resources
* **Sysmon Integration:** Ensure Sysmon is deployed on endpoints to capture detailed process and network activity before forwarding its operational logs.
* **NXLog Configuration:** Refer to external configuration examples (e.g., Gist links provided in source material) for adapting nxlog to correctly format forwarded Windows events for ingestion into Logstash/Elasticsearch.