Figure 1: Finished state of Chapter 1
In this chapter you will:
- Add some Group Policy Objects (GPOs) to your Active Directory (AD).
- Configure the Windows Event Collector listener service.
- Configure clients to send logs to this box.
This chapter will cover setting up the built-in Windows functionality for event forwarding. This effectively takes the individual events (such as a file being opened) and sends them to a central machine for processing. This is similar to the setup discussed in this Microsoft blog.
Only a selection of events will be sent from the client's ‘Event Viewer’ to a central ‘Event Collector’. The events will then be uploaded to the database and dashboard in Chapter 3. This chapter will require the clients and event collector to be Active Directory domain joined and the event collector to be either a Windows server or a Windows client operating system.
You will need TCP port 5985 open between the clients and the Windows Event Collector. You also need port 5044 open between the Windows Event Collector and the Linux server.
We recommend that this traffic does not go directly across the Internet, so you should host the Windows Event Collector on the local network, in a similar place to the Active Directory server.
There are several files within the LME repo that need to be available on a domain controller. These files will be needed for both Chapters 1 and 2. While there are multiple ways to accomplish this, one simple method is to download the latest release package.
- While on a domain controller, download the desired release.
- Open File Explorer, locate and extract the release file downloaded in step 1, for example, LME-1.0.zip.
- Move the LME folder somewhere safe. There is no set location where this folder is required to be, but it should be saved somewhere it won't be inadvertently modified or deleted during the installation process. After installation is complete, the folder can be safely deleted.
Group policy objects (GPOs) are a convenient way to administer technical policies across an Active Directory domain. LME comes with two GPOs that work together to forward events from the client machines to the Event Collector.
Figure 2: Setting up Group Policy
While on a domain controller, open the Group Policy Management Console by running gpmc.msc. You can run this command by pressing Windows key + R.
Figure 3: Launching GPMC
🛠️ If you receive the error Windows cannot find 'gpmc.msc', see Troubleshooting: Installing Group Policy Management Tools.
- Within the Group Policy Management Console, navigate to the "Group Policy Objects" folder. The exact path will vary, depending on your domain's name. In the example used in Figure 3, the path is
Forest: testme.local / Domains / testme.local / Group Policy Objects). - Right click "Group Policy Objects" and select "New."
- Create two new GPOs, "LME-WEC-Client" and "LME-WEC-Server." Leave "Source Starter GPO:" as "(none)" for both.
Figure 4: Create a new GPO object
- Right-click the newly created "LME-WEC-Client" object. Select "Import Settings..."
- Hit "Next" until you reach the "Backup Location" page of the Wizard. NOTE: the "Backup Location" page of the wizard deals with importing settings from a backup, not to be confused with the "Backup GPO" page, which deals with creating a new backup with the current settings.
- When prompted to specify a "Backup Location," specify
LME-1.0/Chapter 1 Files/Group Policy Objects, whereLME-1.0refers to the folder downloaded in step 1.3. - On the "Source GPO" page, select "LME-WEC-Client."
- Click "Next" then "Finish."
- Repeat the above steps for the "LME-WEC-Server" object, selecting "LME-WEC-Server" on step 4.
- Right-click the "LME-WEC-Client" object, then select "Edit."
- Navigate to
Computer Configuration/Policies/Administrative Templates/Windows Components/Event Forwarding/. - Click "Configure Target Subscription Manager." By "SubscriptionManagers," click "Show."
- Change the FQDN (Fully Qualified Domain Name) to match your Windows Event Collector box name - this option can be seen in Figure 5 below. This domain name needs to be resolvable from each of the clients.
- After changing the FQDN, click "Apply" then "OK."
Figure 5: Editing Server Name In Group Policy
To "activate" the GPOs that you previously imported, you need to specify which computers they apply to. Here we describe only one technique of doing this, namely linking GPOs to organizational units (OUs). Advanced users may consider using alternate techniques that better fit their needs. See Planning GPO Deployment for more information.
- Create an OU to hold a subset of client computers that you want to be included in the LME Client group for testing before rolling out LME site-wide. See Guide to Organizational Units. We recommend starting with just a subset for testing before rolling out LME site-wide.
- Within the Group Policy Management Console, right click the OU containing the client machines.
- Click "Link an Existing GPO..."
- Select "LME-WEC-Client," then click "OK."
- Before linking the LME-WEC-Server, ensure that the Event Collector has been placed in its own OU. If needed, use the above guide on creating OUs in Step 1.
- Within the Group Policy Management Console, right click the OU containing the Event Collector.
- Click "Link an Existing GPO..."
- Select "LME-WEC-Server," then click "OK."
Both the LME-WEC-Server and LME-WEC-Client GPOs include a wildcard filter allowing all IP addresses on the host and client to run a Windows Remote Management (WinRM) Listener and to receive inbound connections using this protocol. We strongly recommend that this is restricted to IP addresses or ranges specific to your network environment.
An example of this would be if you hosted a LAN with the subnet 192.168.2.0/24, then you could only allows NICs residing within the range 192.168.2.1-192.168.2.254 to run a WinRM listener via the GPO policy.
See Microsoft Document for verification and details: Installation and configuration for Windows Remote Management
The filter setting is located at "Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Service/allow remote server management through WinRM".
- On the Windows Event Collector, run Event Viewer by either searching under Start->Run->eventvwr.exe, or under 'Windows Administrative Tools' in the start menu.
- Click "Subscriptions."
- If prompted, select "Yes" to start the Windows Event Collector Service (see Figure 6). If no such prompt appears, continue to step 4.
Figure 6: Start the Windows Event Collector Service, if needed.
- Download the lme_wec_config.xml file to the Windows Event Collector server.
- Run a command prompt as an administrator, change to the directory containing the wec_config.xml file you just downloaded.
- Run the command
wecutil cs lme_wec_config.xmlwithin the elevated command prompt. There is no output displayed after running this command.
🛠️ If you receive the error "The forwarder is having a problem communicating with subscription manager..." refer to Events are not forwarded if the collector is running Windows Server. If that does not fix the problem or does not apply, verify that TCP port 5985 is open between the clients and the Windows Event Collector.
- On the Windows Event Collector, Run Event Viewer by either Start->Run->eventvwr.exe, or under ‘Windows Administrative Tools’ in the start menu.
- Confirm machines are checking in, as per Figure 7. The 'Source Computers' field should contain the number of machines currently connected.
Figure 7: Event Log Subscriptions
Note that by default, Windows will update group policy settings only every 90 minutes. Because of this, it's possible that the 'Source Computers' field will be 0 the first time you check the subscriptions page. To force an update, logon to one of the client machines, then from an elevated command prompt, run gpupdate /force. After doing that, if you return to the event collector, that specific client should show up under the Source Computers tab.