Another underused and overlooked tool or concept in Windows operating systems when we are talking about having more insights about what is going on in our environment is Event Viewer and its’ option to do Event Forwarding to a central server where you can analyze events and trigger further actions/activities (trigger a script that sends e-mail, or send this event to some other SIEM system …)

So I decided to record a video that will show you how simple it is in fact to deploy so called Source initiated (preferred method) event forwarding to a central event collector (in my case called SRV1).

So …

First I am connecting to my SRV1 (future event collector) where I turn on Event Viewer and I move to Subscriptions where I need to accept that Windows Event Collector Service will be started…
Then I create a test subscription and I configure it as Source computer initiated subscription (so my client PCs (and/or servers) will send event logs to SRV1 (collector). I configure the group by using built-in group domain computers so it will potentially make it possible to receive logs from all computers in Active Directory (as you can see in the settings you can distribute certificates and do it also with Workgroup machines).

Then I configure which events I want my PCs to send to Collector and how “old” this events can be (I have configured only events that happened last hour…).
I decided to receive only Event IDs: 4720-4728 (more on this events you can read here) and custom Event ID: 5555. I configured subscription settings to be optimized for minimal latency.

After that I fired up Powershell to check WinRM connectivity by using cmdlet Test-WSMan and I did it locally and towards one of client machines – in my case: C1 where I received an error (becouse WinRM service is not running, is not configured and Firewall is not enabled).
As Powershell window was already opened I checked the channelAccess value by typing the command: wevtutil gl security – this information will be needed later for SRV1 to have access to events in Security log. So I copied the string: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573) and I added (A;;0x1;;;NS) at the end so whole string is now:
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
Hey, what are this strange strings? You can read more about it on Microsof official documentation here.

After that I moved to my DC and to Group Policy Management. On my clients OU (where my PCs are located) I have created new GPO called WinRM where I will configure WinRM prerequisites. I also added firewall rules that are needed for WinRM to work.

Afterwards I have created new GPO called Forward Events where I have configured two parameters:

Configure Target Subscription Manager – the URL of our collector:

Server=http://YourServerFQDN:5985/wsman/SubscriptionManager/WEC,Refresh=10

At the end there is Refresh parameter that forces client to check for new potential subscriptions (and refresh of the old ones (for example when you add additional Event Ids that you want to be sent on collector)).

On the parameter:
Configure log access for Security log I have added the string (from before):
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)

At 4:45 I did a little mistake in the video – the subscription will not work as I forgot to configure startup behavior of WinRM service on our client machines so I needed to fix that by using Group Policy Preferences where I have configured WinRM to run at startup and change state to running.
At 6:25 you can see that first source was connected to my subscription.

On Collector server I have fired two commands:
wecutil enum-subscription
and afterwards:
wecutil ss Test subscription 1 /cf:Events
This are needed for events to have detail text exposed on collector server.

Afterwards I have moved to C1 (client machine) machine where I have created new local user (Event ID 4720). In couple of seconds we can see events being shipped to our collector server SRV1 in Forwarded Events log in its Event Viewer.

Next I joined C2 machine to a domain to show that event forwarding settings are immediately applied to the machine and C2 is also sending logs (on this machine I also tried to make my own event (5555) and trigger it by using Powershell cmdlet.

New-EventLog -LogName Application -Source “TestApp”
Write-Eventlog –LogName Application –Source “TestApp” –EntryType Error –EventID 5555 -Message “Test”

As you can see preparing your Event collector is quite easy thing to deploy. Enjoy!

Where to start with events?
* https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5