0

I'm setting up Windows Event Forwarding (WEF) utilizing a source initiated subscription type. In that source initiated subscription - select computer groups area I've successfully tested entering an individual PC. Additionally, if I enter Domain Computers in that filter it works as well. Based on several guides I've read it seems entirely possible to use an Active Directory security group that includes PCs. Added my test security group to that subscription - select groups area but it doesn't seem to work. The source computers counter never goes above 0 unless I go back to using the PC's name or Domain Computers in my selection.

"Why don't you just use domain computers?" Assumed that would hurt performance and/or clog the logs with PCs that I'm not deploying my WEF GPO (collector is at xyz address) to.

Any ideas?

https://support.logbinder.com/SuperchargerKB/50149/Controlling-Which-Computers-Subscribe-to-a-WEC-Subscription https://securityanalyststuff.wordpress.com/2019/03/31/windows-event-forwarding-notes/

WindowsR1
  • 1
  • 1
  • Can you confirm that you added computers to a security group, then, you configured this security group in the subscription (on the collector), and deployed the GPO to configure the Event Forwarding on those computers ? If yes, can you add the output of this command (on your collector): `wecutil gs ` (if you don't know the subscription name you can find it with `wecutil es`). Can you show the Group Policy too ? – Swisstone May 12 '20 at 18:08
  • Can confirm that the security group created contains the server I'm testing with and that the same group is added in the Source computer initiated - Select Computer Groups - Add Domain Computers: (domain\[group name]). Additionally, the GPO that enables my WEF testing (sets the collector address and permission to read logs) is linked to the OU where this test machine resides. If I remove that AD security group from the selected machines and instead directly add the server I'm testing with, WEF works so doesn't seem like a GPO issue. Edit: Wecutil output too long to post. – WindowsR1 May 12 '20 at 20:35
  • Subscription Id: 4720 - Security - A user account was created SubscriptionType: SourceInitiated Enabled: true Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog ConfigurationMode: Normal DeliveryMode: Push DeliveryMaxLatencyTime: 900000 HeartbeatInterval: 900000 Query: ReadExistingEvents: false TransportName: HTTP LogFile: ForwardedEvents PublisherName: Microsoft-Windows-EventCollector – WindowsR1 May 12 '20 at 20:37
  • AllowedIssuerCAList: AllowedSubjectList: DeniedSubjectList: AllowedSourceDomainComputers: O:NSG:BAD:P(A;;GA;;;S-1-5-21-62464494-1868367560-1539857752-1070632)S: @Swisstone – WindowsR1 May 12 '20 at 20:38
  • You can edit your question to add the requested details instead of adding them in the comment – Swisstone May 13 '20 at 05:00

1 Answers1

1

Don't forget that you need to restart the target computer after adding it to the security group, because Windows will not refresh its group membership automatically. That may be your issue if everything else is OK.

You can check the following log in the event viewer on the source computer:

Applications and Services Logs > Microsoft > Windows > Eventlog-ForwardingPlugin > Operational
Swisstone
  • 6,725
  • 7
  • 22
  • 32
  • Whelp, this is embarrasing. That was it! Was certain I had rebooted on the targeted computers given everything else I had done, but rebooted just in case this morning as per your message which worked... – WindowsR1 May 13 '20 at 14:33