Overview
Monitoring and collecting event data from Active Directory computers is essential for security analysis and system administration.
In this blog, we’ll walk you through the complete process of setting up Windows Remote Management (WinRM) for centralized event collection across your AD environment. We’ll cover everything from initial WinRM configuration, permission setup, creating event subscriptions, to filtering and troubleshooting event collection.
Follow the step-by-step instructions below to implement a robust event forwarding system.
Start the WinRM service
1. Open PowerShell on the Source Machine (MSEDGEWIN10):
Command :- winrm quickconfig
1. Open PowerShell on the Source Machine (MSEDGEWIN10):
Command :- winrm quickconfig
NOTE(S): • Add the Collector Machine to the Source Machine’s trustedhosts: Command: –
Set-Item wsman:localhost/client/trustedhosts
– Restart the service for changes to take effect: Command: –
Restart-Service WinRM
Set-Item wsman:localhost/client/trustedhosts
– Restart the service for changes to take effect: Command: –
Restart-Service WinRM
Check if the service is running:
Command :- winrm get winrm/config
Command :- winrm get winrm/config
NOTE(S):
• AllowRemoteAccess = true signifies that the service is running.
Test if the Collector Machine (BOSSMANBEN) is reachable using WinRM:
Command :- Test-WSMan WIN-BO2CT95INDP
NOTE(S):
• WinRM is enabled by default on Windows Server 2012 and up.
• This is just a measure to check if the Collector Machine is indeed reachable.
• AllowRemoteAccess = true signifies that the service is running.
Test if the Collector Machine (BOSSMANBEN) is reachable using WinRM:
Command :- Test-WSMan WIN-BO2CT95INDP
NOTE(S):
• WinRM is enabled by default on Windows Server 2012 and up.
• This is just a measure to check if the Collector Machine is indeed reachable.
Add the Collector Machine to the Event Log Readers groups
• In the Source Machine :
i. Open the Local Users and Groups:
▪ Press Win + R then enter lusrmgr.msc
ii. Navigate to Local Users and Groups (Local) > Groups:
• In the Source Machine :
i. Open the Local Users and Groups:
▪ Press Win + R then enter lusrmgr.msc
ii. Navigate to Local Users and Groups (Local) > Groups:
• Right-click Event Log Readers and select Properties
• Select Add
• Select Object Types… then check the box, Computers
• Enter the object names to select – <Collector Machine>
NOTE(S):
– Select Check Names for good measure.
– Select OK when done.
• Select Object Types… then check the box, Computers
• Enter the object names to select – <Collector Machine>
NOTE(S):
– Select Check Names for good measure.
– Select OK when done.
Create Subscriptions using Event Viewer
In the Collector Machine (WIN-BO2CT95INDP):
• Open the Event Viewer:
Press Win + R then enter gpedit eventvwr.msc
• On the left panel, right-click on Subscriptions then select Create Subscription
Subscription Name —
Description —
Destination log —
NOTE(S):
Custom logs could be created but Forwarded Events is selected by default.
Click here to create custom logs.
Select Subscription type and source computers:
i. If you choose Collector initiated then select Select Computers.
. Select Add Domain Computers…
a. Enter the object name to select – source machine
b. Select Check Names for good measure.
c. Select OK
d. Select Test for good measure.
e. Select OK
In the Collector Machine (WIN-BO2CT95INDP):
• Open the Event Viewer:
Press Win + R then enter gpedit eventvwr.msc
• On the left panel, right-click on Subscriptions then select Create Subscription
Subscription Name —
Description —
Destination log —
NOTE(S):
Custom logs could be created but Forwarded Events is selected by default.
Click here to create custom logs.
Select Subscription type and source computers:
i. If you choose Collector initiated then select Select Computers.
. Select Add Domain Computers…
a. Enter the object name to select – source machine
b. Select Check Names for good measure.
c. Select OK
d. Select Test for good measure.
e. Select OK
ii. If you choose Source initiated then select Select Computer Groups.
. Select Add Domain Computers…
a. Enter the object name to select – source macine
b. Select Check Names for good measure.
c. Select OK
d. Select Test for good measure.
e. Select OK
Here we create source subscription.
• On the Source Machine :
a. Press Win + R then enter gpedit.msc
b. Navigate to Computer Management > Administrative
Templates > Windows Components > Event Forwarding
c. Right-click on Configure target Subscription Manager then select Edit
d. Choose Enabled
e. Under Options, beside SubscriptionManagers, press Show.
a. Press Win + R then enter gpedit.msc
b. Navigate to Computer Management > Administrative
Templates > Windows Components > Event Forwarding
c. Right-click on Configure target Subscription Manager then select Edit
d. Choose Enabled
e. Under Options, beside SubscriptionManagers, press Show.
Enter
Server=http://Alabs.in:5985/wsman/SubscriptionManager/WEC,Refresh=30
Press OK
Press OK
Server=http://Alabs.in:5985/wsman/SubscriptionManager/WEC,Refresh=30
Press OK
Press OK
Open PowerShell or cmd the run gpupdate /force
• On the Collector Machine:
Open PowerShell or cmd then run wecutil quick-config
Open PowerShell or cmd then run wecutil quick-config
• Select Events.
a. Logged — “Any time”
b. Event level — Critical, Error, Information, Warning
c. Choose By log — Windows -> Security
d. Filter Event IDs —
4624,4657,4688,4698,4720,4722,4724,4732,4738,4769
e. Select OK
a. Logged — “Any time”
b. Event level — Critical, Error, Information, Warning
c. Choose By log — Windows -> Security
d. Filter Event IDs —
4624,4657,4688,4698,4720,4722,4724,4732,4738,4769
e. Select OK
• Select Advanced.
a. User Account —
b. Event Delivery Optimization —
c. Select OK
• Select OK
a. User Account —
b. Event Delivery Optimization —
c. Select OK
• Select OK
Right-click on the newly created subscription then select Runtime Status:
In the Source Machine :
• Run wevtutil: wevtutil get-log Security
• Run wevtutil: wevtutil get-log Security
Add the Network Service Account to the channelAccess field:
NOTE(S):
• WinRM runs under the Network Service Account which had no access to
the Security Logs
Going back to the Collector Machine :
• Go to the Event Viewer:
a. Press Win + R then enter gpedit eventvwr.msc
• On the left panel, go to Subscriptions then select the recently created
subscription
• On the right panel, under the subscription name, select Retry
• Right-click on the recently created subscription then select Runtime Status:
• WinRM runs under the Network Service Account which had no access to
the Security Logs
Going back to the Collector Machine :
• Go to the Event Viewer:
a. Press Win + R then enter gpedit eventvwr.msc
• On the left panel, go to Subscriptions then select the recently created
subscription
• On the right panel, under the subscription name, select Retry
• Right-click on the recently created subscription then select Runtime Status:
• An Event with ID 100 (Name=”SubscribeSuccess”) will appear on Microsoft
Windows-Event-ForwardPlugin/Operational in the Source Machine
Windows-Event-ForwardPlugin/Operational in the Source Machine
If you are still facing an issue, feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks.
| Happy Splunking 😉
