Remote Log Collection for Windows¶
There are two ways to collect Windows logs remotely.
- Pull remote Windows logs (via WMI) - you have to configure the right permissions and the IPs or CIDR of the target machines to collect events from
- Windows Event Forwarding - the native Windows mechanism for collection
Pull remote log collection¶
In order for the LogSentinel Collector to gather logs from remote Windows machines, certain configurations have to be made. Below is a list of steps to perform:
- Allow the necessary network connections to the target machines (through network rules and firewall rules, if applicable). In particular, allow port 135 from the collector machine to the target
- Go to Windows Firewall -> Inbound rules and enable the rules regarding "Remote log management"
- Create a service account and configure it in the remote collector. The other option is to have an account on the collector machine that is given the proper access, so that you can use the integrated AD authentication
- Add the account to the following domain groups: Event log readers, Distributed COM users. If you need to read DHCP lease information, also add it to the DHCP users group
- Give the "Manage auditing and security log" privilege to the service account through group policies (GPO) or via "local security policy". Find it under User Rights Assignment > Manage auditing and security log
- Give WMI access – open "wmimgmt" -> right click -> properties > Security -> Advanced and allow the service account to "Execute Methods", "Provider Write", "Enable Account", "Remote Enable". Make sure you make the change recursively, i.e. apply it to subnamespaces
- Give registry permissions: Regedit -> Local machine -> System\CurrentControlSet\Services\eventlog\Security -> right click -> permissions and add the service account (with read permissions)
- Make sure you have DCOM rights. This comes automatically wit the DCOM group, but double check via DCOMCnfg -> right click -> COM security
- Grant permissions for the service account on c:\windows\system32\winevt1
- Make sure the application or service that is reading the logs remotely has sufficient permissions – it can usually run with admin privileges, because it's on a separate, dedicated machine
- Restart services – that is optional, but can be done if things don't start working immediately: Restart "Windows Remote Management (WS-Management)" and "Windows Event Log" on the target machine
Windows Event Forwarding¶
Windows Event Forwarding (WEF) is the native mechanism for collecting logs. The LogSentinel Collector is installed on one machine which subscribes to logs from all sending machines. The LogSentinelCollector is configured to read the local aggregated logs.
In the LogSentinel Collector
WindowsEventLog connector specify
ForwardedEvents for the
Configuring key additional logs¶
There are several Windows logs that are not turned on by default but can be of great benefit for security. We recommend turning them on an all monitored machines, regardless of whether a a collector or an agent is used.
You usually need to track what processes have been launched on monitored machines. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use Advanced Audit Policy Configuration -> System Audit Policy -> Detailed Tracking.
USB and other plug-and-play devices¶
Plug-and-play device monitoring is important for preventing data leaks. You can see how to enable PNP auditing here