In this document, you'll learn how to collect the logs of all clients on a single host; and transfer the logs from this host to Logsign with Nxlog Agent. This event is called Windows Event Collector (WEC) or Windows Event Forwarder (WEF).
WEC and WEF are different methods. The mentality is the same; the structural function is different. In the WEF transaction, the client sends all logs to Logsign SIEM. On the other hand, in WEC operation, the host you choose as the Collector reaches the clients, collects the logs, and pulls them on itself.
You'll work on with WEF method in this document.
Why did you choose the WEF method in this operation?
With WEF, you can make clients group members in companies with many clients, add a single group, and provide log integration.
It is added as computer only in the WEC process, so it is necessary to add the clients one by one.
The basic structure of WEF and WEC is on the winrm service. The following steps describe the necessary permissions and activation processes for this service.
The following steps describe the WEF process.
1- Set the host where the logs will be collected. For example, the dc server is defined as the Collector here. It's also possible to define the permissions of a client as the Collector host.
Create a gpo under the OU where my dc server is the collector.
2- Activate the HTTP listening feature of our server.
Note: Available if required certificates for HTTPS are generated.
3- Define the required permissions to the group.
The user does not have to be an admin. Network Service is the account used by the winrm protocol; it is essential to add it. When the processes are finished, you can close this window with OK.
4- With this process, you make the necessary configuration for the automatic start of the winrm service of our Collector host.
5- Define the necessary Windows firewall permissions.
6- The following steps are for client permissions and configuration.
Create a gpo in the OU where the clients are located.
7- Open the audits on the clients, but you don't need to open all audits in this section. In this example, open all audits to overload the clients.
8- Give the same group permissions.
9- Set the winrm service.
10- Set the collector host for clients.
In this section, you'll learn the name of the collector host via PowerShell with the “hostname” command; then, you'll define our fqdn address with “hostname + domain name.” For example, the name of the collector host is “AnkaraLogsignDC.” The domain address is “logsign.net.” You can change the fqdn address in this section. 5985 is an HTTP port. Refresh time also refreshes the time interval; load will be equivalent to this time.
That's it for client permissions.
- Collector Host.
1- Open the Event Viewer. You'll make the subscription definition.
In this section, choose Source Computer Initiated for WEF operation. Note: Collector is an initiated WEC operation. You've defined these permissions above.
2- Add the group where the clients are located.
Clientgrp is a group that client nodes are members of; the image below is an example of this.
3- Choose the event types we will receive from the clients. In this example, the only security is taken; you can get system, application, and set up if you wish. Attention: you should not select logs other than these without opening their permissions. Otherwise, no logs will come, and you'll receive a code 13 error.
Click the Select Event button.
4- In this section, you'll specify the standard for obtaining logs. We apply the following configuration to get the disruption rate at the minimum level.
Click the Advance button.
That's it for the definitions. The following process is to open PowerShell with admin authority and do " gpupdate /force. " Then we get confirmation by entering gpu management and saying gpu update.
In the Subscriptions section of the Event Viewer, the Source will appear as '0'. This number will increase when subscriber clients reach the collector host.
Since the GPO permissions are at the computer level, the clients need to be rebooted. When clients reboot, the number will increase in the section open as a subscriber. Check the clients participating in the web as follows.
It may take some time for the logs to arrive in the Forwarded Events section.
You should note that the clients will not be seen in the source section before the reboot process. Clients are receiving GPO join Wef. A change on the subscriber (except Select Event) requires a reboot to the clients to be implemented.
In case of a problem on the subscriber, it is seen as a log under Microsoft – Event forwarding plugin – operation under Event Viewer. (must be checked on collector or client-side)
Then, nxlog settings must be defined by the Event Viewer.
Finally, integrate Wef Server in Logsign SIEM.