Security Event Log Collection from a Domain Controller

I recently decided to implement this in my lab to see if it was possible. An extra step is required beyond the typical instructions provided by Microsoft.

In this scenario we have a domain controller (DC1) that we want to configure as an event forwarder. We also have a member server computer (SRV1) that we want to configure as an event collector.

Procedure

Configure Event Forwarding on DC1

1. Enable Windows Remote Management

winrm quickconfig

Note: The quickconfig option is fine because a domain controller usually only has one interface. On computers with multiple interfaces I prefer to use different options so the service only listens on needed IP addresses.

2. Add the computer account of the collector to the “Event Log Readers” builtin local security group.

Note: On a domain controller you need to do this from something like “Active Directory Users and Computers”

3. Add the SID of the Network Service account to the Channel Access permissions of the Security Event Log.

The reason for doing this is that the Windows Remote Management service runs under the Network Service account.

The safe way to perform this step is to first run the following command and determine the current permissions:

wevtutil gl security

By default, the permission is:

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

In this case, the command to set the required permission is (we simply append the new permission to what was obtained with the previous commend):

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

Note: S-1-5-20 is the well known SID for the Network Service account

Configure Event Collection on SRV1

1. Configure the Event Collector service

wecutil qc

2. Create the event subscription

  • Subscription Type: Collector Initiated
  • Source: DC1
  • Events to collect: In the filter set the “Event logs” field to “Security”

Testing

After approximately 15 minutes you should start to see events in the Forwarded Events event log on SRV1. If you don’t see these then try the following:

On DC1, open the Applications and Services Logs -> Microsoft -> Windows -> Eventlog-ForwardingPlugin -> Operational event log and look for Event ID 100. If you are getting Event ID 102 then you may need to restart either or both DC1 and SRV1.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Security Event Log Collection from a Domain Controller

  1. Mephisto says:

    Thanks mate! This thing had me scratching my head for a couple of days now!…Funny how Technet NEVER mentions the fine print…The trick is in adding the channel access permissions.

  2. Thanks for sharing this informative article !
    Few days ago, I have also shared a PDF guide that covers the secrets of event viewer for Active Directory Security Auditing. You can walk through this mentioned link to gather more information about : https://gallery.technet.microsoft.com/Secrets-of-Event-Viewer-17053a75

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s