1

I built a Windows Event Collector for the first time in our domain. The Collector server is Windows Server 2022. All the systems forwarding to it are Server 2019. The subscription is specifically for AppLocker logs (I plan to expand this in the future, but this is where I started). The collection is source initiated. I have 11 systems showing up in the source computers under the subscriptions, and confirm 11 systems when I run "wecutil gr <subscription_name>". I have two computers that are not that I feel should be. On server1, I log in and in the Eventlog-ForwardingPlugin log, it shows event 104 - The forwarder has successfully connected... But server1 isn't listed in the wecutil output. Server1 does have recent AppLocker events that should be forwarding. There are no recent errors in the Windows Remote Management log on Server1 either. Not sure why it isn't listed.

The second server is the server running WEC. I want it to also put its AppLocker logs in the forwarded events (so I can query all AppLocker events in one place). In this server's Eventlog-ForwardingPlugin log, it shows event 105 with error code 2150859027. Searching this shows a change to make to the WSMAN URL ACL, which I've done twice. And I don't think all the other systems would connect normally if that was a problem still.

Any help is greatly appreciated.

user3271408
  • 175
  • 1
  • 5
  • 17

1 Answers1

0

You're going to want to verify in the Eventlog-forwardingPlugin/Operational log of the WEF client you see an event indicating the client created the subscription successfully (Event ID 100), and no further Event ID 103 unsubscribe events. If the Event Forwarding target subscription manager was deployed with Group Policy, then running gpupdate /force on the WEF client will cause the system to re-evaluate the event subscriptions and you should see new events appear in the Eventlog-forwardingPlugin/Operational log. This is handy for verifying changes you made without waiting for the normal check-in cycle to initiate.

You'll also want to confirm the NETWORK SERVICE account is in the local Event Log Readers group of the client. It is preferred to deploy this using a Group Policy Preference to your WEF clients. For Domain Controllers, the NETWORK SERVICE account would need to be added to the "Builtin/Event Log Readers" domain group. This is the account used to read and send events to the Windows Event Collector server. Another troubleshooting step is to use the wevtutil.exe utility to confirm the Network Service account has channel access to your logs you intend to collect (ex. wevtutil get-log security).

The client will connect to the WEC server and then apply any subscriptions you have given it access to. Verify the subscription permissions include this client or a group the client is a member of. If the client was recently added to this group, then reboot it to refresh its Kerberos token. I have seen clients fail to stay subscribed in some cases, and they would immediately unsubscribe for no apparent reason. Deleting the clients bookmark registry key on the WEC server resolved this. The key can be found at "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions<subscription name>\EventSources" on the WEC server.

This page covers the entire process for setting up event forwarding and provides more information you'll be able to use when taking Event Forwarding to the next level:

https://learn.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

Here is another good resource with step-by-step instructions for setting up a source computer initiated subscription.

https://adamtheautomator.com/windows-event-collector/

Regarding your seconds issue of the WEC server not forwarding events for itself, there is an open issue on this posted to the palantir GitHub repository:

https://github.com/palantir/windows-event-forwarding/issues/37

twconnell
  • 902
  • 5
  • 13
  • Thank you for the response. I'll look into this more as soon as I can. – user3271408 Jul 14 '23 at 20:10
  • Were you able to resolve your event forwarding issue? – twconnell Jul 28 '23 at 13:38
  • I haven't gone back to it. Work changes priorities like some people change clothes :) – user3271408 Jul 29 '23 at 15:20
  • On the WEC system, I do not have an Event 100 entries in Eventlog-ForwardingPlugin/Operational. I have many Event IDs 105 and 106. I also did not have NETWORK SERVICE account in the "Event Log Readers", so I added that via GPO, do a gpupdate /force and rebooted and still have that same situation. Using wevtutil get-log to check the permissions on the AppLocker event log, I do not have Network Service account there, but it is also missing on a system that is successfully sending its logs. – user3271408 Jul 31 '23 at 16:31
  • For Server1 in my original post, that has fixed. It still shows EventID 100 and 104 in Eventlog-ForwardingPlugin log. The system is now listed when I use "wecutil gr " on the WEC. I also took your suggestion of deleting the registry entry for this one system, so maybe that's what fixed it. – user3271408 Jul 31 '23 at 16:34
  • You need to update the log SDDL permissions to give NETWORK SERVICE access. Or make sure it is nested in the local event log readers group and confirm that group has access. Unfortunately the SDDL permissions are not very user friendly, but I have faith in your abilities here ;) – twconnell Aug 01 '23 at 06:33