Remote Log Collection for Windows¶
In order for the LogSentinel Collector to gather logs from remote Windows machines, certain configurations have to be made. Below is a list of steps to perform:
- Allow the necessary network connections to the target machines (through network rules and firewall rules, if applicable)
- Go to Windows Firewall -> Inbound rules and enable the rules regarding "Remote log management”
- Create a service account and configure it in the remote collector. The other option is to have an account on the collector machine that is given the proper access, so that you can use the integrated AD authentication
- Add the account to the following domain groups: Event log readers, Distributed COM users.
- Give the "Manage auditing and security log” privilege to the service account through group policies (GPO) or via "local security policy". Find it under User Rights Assignment > Manage auditing and security log
- Give WMI access – open "wmimgmt" -> right click -> properties > Security -> Advanced and allow the service account to "Execute Methods", "Provider Write", "Enable Account", "Remote Enable". Make sure you make the change recursively, i.e. apply it to subnamespaces.
- Give registry permissions: Regedit -> Local machine -> System\CurrentControlSet\Services\eventlog\Security -> right click -> permissions and add the service account.
- Make sure you have DCOM rights. This comes automatically wit the DCOM group, but double check via DCOMCnfg -> right click -> COM security
- Grant permissions for the service account on c:\windows\system32\winevt1
- Make sure the application or service that is reading the logs remotely has sufficient permissions – it can usually run with admin privileges, because it's on a separate, dedicated machine.
- Restart services – that is optional, but can be done if things don't start working immediately: Restart "Windows Remote Management (WS-Management)" and "Windows Event Log" on the target machine.