Set up a Windows LogServer

Last Updated on

on DC:

New-ADGroup -name “Event Collector” -GroupScope Global
Add-ADGroupMember -Identity “Event Collector” -Members <Servername>$

New-GPO -name “Event Collector”
New-GPLink -name “Event Collector” -target “DC=test,DC=com”
Set-GPPermission -name “Event Collector” -TargetName “Event Collector” -TargetType Group -PermissionLevel GpoApply
Set-GPPermission -name “Event Collector” -TargetName “Authenticated Users” -TargetType Group -PermissionLevel None

$winRMKey=”hklm\software\policies\microsoft\windows\winrm\service”
Set-GPRegistryValue -name “Event Collector” -key $winRMKey -ValueName “AllowAutoConfig” -Type DWord -Value 1
Set-GPRegistryValue -name “Event Collector” -key $winRMKey -ValueName “IPv4Filter” -Type String -Value “*”
Set-GPRegistryValue -name “Event Collector” -key $winRMKey -ValueName “IPv6” -Type String -Value “*”

new-adgroup -name “Event Source” -groupscope global
add-adgroupmember -identity “Event Source” -members <servername>$ (only 1 server for the testing phase)

new-gpo -name “Event Source”
New-GPLink -name “Event Source” -Target “DC=test,Dc=com”
Set-GPPermissions -Name “Event Source” -TargetName “Event Source” -TargetType Group -PermissionLevel GpoApply
Set-GPPermissions -Name “Event Source” -TargetName “Authenticated Users” -TargetType Group -PermissionLevel None

$eventkey=”hklm\software\policies\microsoft\windows\eventlog\eventforwarding\subscriptionmanager”
$targetaddress=”Server=http://<servername>:5985/wsman/SubscriptionManager/WEC”
Set-GPRegistryValue -name “Event Source” -key $eventkey -ValueName “1” -Type String -Value $targetaddress

something extra to check on the machines you want to configure in “Event Source” group:

-Check if remote management is enabled:
PS c:\>configure-smremoting.exe -get

We should also make a new subscription on the logserver and choose what events do we want to get.

more on Event forwarding:

https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription#forwarding-the-security-log

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *