Start the WinRM service
1. Open PowerShell on the Source Machine (MSEDGEWIN10):
Command :- winrm quickconfig

NOTE(S): • Add the Collector Machine to the Source Machine’s trustedhosts: Command: –
Set-Item wsman:localhost/client/trustedhosts
– Restart the service for changes to take effect: Command: –
Restart-Service WinRM

Check if the service is running:
Command :- winrm get winrm/config

NOTE(S):
• AllowRemoteAccess = true signifies that the service is running.
Test if the Collector Machine (BOSSMANBEN) is reachable using WinRM:
Command :- Test-WSMan WIN-BO2CT95INDP
NOTE(S):
• WinRM is enabled by default on Windows Server 2012 and up.
• This is just a measure to check if the Collector Machine is indeed reachable.

Add the Collector Machine to the Event Log Readers groups
• In the Source Machine :
i. Open the Local Users and Groups:
▪ Press Win + R then enter lusrmgr.msc
ii. Navigate to Local Users and Groups (Local) > Groups:

• Right-click Event Log Readers and select Properties

• Select Add
• Select Object Types… then check the box, Computers
• Enter the object names to select – <Collector Machine>
NOTE(S):
– Select Check Names for good measure.
– Select OK when done.

Create Subscriptions using Event Viewer
In the Collector Machine (WIN-BO2CT95INDP):
• Open the Event Viewer:
      Press Win + R then enter gpedit eventvwr.msc
• On the left panel, right-click on Subscriptions then select Create Subscription
     Subscription Name —
     Description —
     Destination log —
NOTE(S):
Custom logs could be created but Forwarded Events is selected by default.
Click here to create custom logs.
Select Subscription type and source computers:
i. If you choose Collector initiated then select Select Computers.
. Select Add Domain Computers…
a. Enter the object name to select – source machine
b. Select Check Names for good measure.
c. Select OK
d. Select Test for good measure.
e. Select OK

ii. If you choose Source initiated then select Select Computer Groups.
. Select Add Domain Computers…
a. Enter the object name to select – source macine
b. Select Check Names for good measure.
c. Select OK
d. Select Test for good measure.
e. Select OK

Here we create source subscription.

• On the Source Machine :
a. Press Win + R then enter gpedit.msc
b. Navigate to Computer Management > Administrative
Templates > Windows Components > Event Forwarding
c. Right-click on Configure target Subscription Manager then select Edit
d. Choose Enabled
e. Under Options, beside SubscriptionManagers, press Show.

Enter
Server=http://Alabs.in:5985/wsman/SubscriptionManager/WEC,Refresh=30
Press OK
Press OK

Open PowerShell or cmd the run gpupdate /force

• On the Collector Machine:
Open PowerShell or cmd then run wecutil quick-config

Select Events.
a. Logged — “Any time
b. Event level — Critical, Error, Information, Warning
c. Choose By log — Windows -> Security
d. Filter Event IDs
4624,4657,4688,4698,4720,4722,4724,4732,4738,4769
e. Select OK

Select Advanced.
a. User Account —
b. Event Delivery Optimization —
c. Select OK
• Select OK

Right-click on the newly created subscription then select Runtime Status:

In the Source Machine :
• Run wevtutil: wevtutil get-log Security

Add the Network Service Account to the channelAccess field:

NOTE(S):
WinRM runs under the Network Service Account which had no access to
the Security Logs
Going back to the Collector Machine :
• Go to the Event Viewer:
a. Press Win + R then enter gpedit eventvwr.msc
• On the left panel, go to Subscriptions then select the recently created
subscription
• On the right panel, under the subscription name, select Retry
• Right-click on the recently created subscription then select Runtime Status:

• An Event with ID 100 (Name=”SubscribeSuccess”) will appear on Microsoft
Windows-Event-ForwardPlugin/Operational in the Source Machine

If you are still facing an issue, feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks.

| Happy Splunking 😉