Collecting from Windows

The following inputs obtain Window Events using different strategies:

input:WEC

Strategy: Agent-less Window Event Collector server that expects Windows machines to connect to it via Windows Event Forwarding

Serves a Windows Event Collector server to be used in Windows Event Forwarding configuration on Windows Server machine.

Configuration options to set up the server include:

listen:  # Where to expose the server to (format <ADDRESS> <PORT> ssl, i. e. 0.0.0.0 8081 ssl)
queries:  # The Windows Event queries separated by new lines, which determine which Windows Events should be loaded in subscriptions
last_value_storage:  # Persistent storage for the current last value (please make sure you use different file for every case)
read_existing_events:  # (optional) Notifies Windows machines if they should send existing events (true/false, default: true)
connection_retries:  # (optional) How many retries in a row is acceptable from Windows machines (default: 60)
connection_retries_wait:  # (optional) How long in seconds to wait for connection retry (default: 10.0)
heartbeat:  # (optional) How often in seconds the heart beat should be called upon subscriptions (default: 60)
backlog:  # (optional) Specify the number of pending connections the queue will hold (default: 128)
servertokens:  # (optional) Controls whether 'Server' response header field is included ('full') or faked 'prod' (default: full)
cors: # (optional) Specify CORS attributes (default: none)
output:  # Which output to send the incoming events to

The queries setting with Windows Event queries may look as follows:

  queries: | # Specify WEC query in format <QUERY_PATH> <QUERY_TEXT>\n
    System *[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
    Security *[Security[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]

The following configuration options specify the secure (HTTPS) connection:

cert:  # Specify path to the certificate
key:  # Specify path to the private key
issuer_thumbprints:  # Specify issuer (CA) certificate SHA1 thumbprints separated by space (f. e. d6986fef2104f21ab0c7ccb279217abe29c0808a)
password:  # (optional) Specify key file password (default: none)
cafile:  # (optional) Specify file to verify the peer (default: none)
capath:  # (optional) Specify path to verify the peer (default: none)
ciphers:  # (optional) Specify custom SSL ciphers (default: none)
dh_params:  # (optional) Diffie–Hellman (D-H) key exchange (TLS) parameters (default: none)
verify_mode:  # (optional) Empty or one of CERT_NONE, CERT_OPTIONAL or CERT_REQUIRED, for more information, see: https://github.com/TeskaLabs/asab/blob/master/asab/net/tls.py

Generating the certificates using a certificate authority

Using XCA

Generating a certificate authority issuer certificate together with client certificate (to be also imported on the source Windows machine) and server certificate (to be used by the WEC server).

1.) Enter a password

2.) Create certificate with CA key template, name your organization

3.) Create certificate with TLS_server template issued by CA above, as Common name, use the server address or hostname

4.) Create certificate with TLS_client template issued by CA above

5.) Export CA certificate as pem, import to Windows machine and use the fingerprint in setting WEF and also in the WEC server configuration

The fingerprint is SHA-1.

6.) Export TLS server certificate as pem, use it in WEC server

7.) Export TLS server private key as pem, use it in WEC server

8.) Export TLS client certificate as p12, import to Windows machine

Windows Event Forwarding setting

The Windows Event Forwarding setting happens at the source computer you want to obtain Windows Events from.

On the Windows machine, make sure that WinRM is enabled, firewall is not limiting the network connection and the WEC server hostname is trusted. To enable WinRM, run as administrator the following command:

winrm qc -q

The WEC server needs to be added to Trusted Hosts, so that WinRM allows WEC to communicate:

winrm set winrm/config/client '@{TrustedHosts="<SERVER_HOSTNAME>"}'

When the setting is ready, configure the Windows Event Forwarding:

1.) Open Local Group Policy Editor (Win+R and type: gpedit.msc)

2.) Go to: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Event Forwarding

3.) Configure Target Subscription Manager policy

4.) Enter a new record: Server=https://<YOUR_SERVER_HOSTNAME>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>,IssuerCA=<Thumbprint of the issuing CA certificate, f. e. d6986fef2104f21ab0c7ccb279217abe29c0808a>`

5.) Save

For more information, see: https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription

Test

Use the following command to emulate creation of Windows Event at the source machine:

eventcreate /Id 500 /D "windows auto update failed. Could not download the install files" /T ERROR /L System

input:WinRM

Strategy: Agent-less remote control connection to a desired Windows machine and run of the collection command there as a separate process to collect its standard output

WinRM input connects to a remote Windows Server machine, where is calls a specified command. It then periodically checks for new output at stdout and stderr, so it behaves in a similar manner to input:SubProcess.

The following configuration options specify the connection:

endpoint:   # Endpoint URL of the Windows Management API of the remote Windows machine (f. e. http://MyMachine:5985/wsman)
transport: ntlm  # Authentication type
server_cert_validation:  # Specify the certificate validation (default: ignore)
cert_pem:  # (optional) Specify path to the certificate (if using HTTPS)
cert_key_pem:  # (optional) Specify path to the private key
username:  # (optional) When using username authentication (like over ntlm), specify username in format <DOMAIN>\<USER>
password:  # Password of the authenticated user above
output:  # Which output to send the incoming events to

The following configuration clarifies the command that should be remotely called:

# Read 1000 system logs once per 2 seconds
command:  # Specify the command, that should be remotely called (f. e. wevtutil qe system /c:1000 /rd:true)
chilldown_period:  # How often in seconds should the remote command be called, if it is ended (default: 5)
duplicity_check:  # Specify if to check for duplicities based on time (true/false)
duplicity_reverse_order:  # Specify if to check for duplicities in reverse order (f. e. logs come in descending order)
last_value_storage:  # Persistent storage for the current last value in duplicity check (please make sure you use different file for every case)

input:WinEvent

Strategy: Runs as an agent on a desired Windows machine and sends Windows Events to a desired output, which may be another LogMan.io Collector instance running on Linux

Note: input:WinEvent only works at Windows-based machine.

This input periodically reads Windows Events from the specified event type.

The following configuration options are available:

server:  # (optional) Specify source of the events (default: localhost, i. e. the entire local machine)
event_type:  # (optional) Specify the event type to be read (default: System)
buffer_size:  # (optional) Specify how many events should be read in one query (default: 1024)
event_block_size:  # (optional) Specify the amount of events after which an idle time will be executed for other operations to take place (default: 100)
event_idle_time:  # (optional) Specify the idle time in seconds mentioned above (default: 0.01)
last_value_storage:  # Persistent storage for the current last value (please make sure you use different file for every case)
output:  # Which output to send the incoming events to