Windows Event Forwarding can be used to centrally store logon and logoff events of workstations. In this particular example, no other events will be captured (i.e. audit events for file services, workstation lock/unlock, etc.) This guide assumes a domain environment.
Determine Security Log Permissions
Before WEF can be used, the NETWORK SERVICE account must be given permission to access the System security log, as this is the account used by WinRM.
- Log onto a domain computer and open a Command Prompt as Administrator.
- Run wevtutil gl security:
Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\windows\system32>wevtutil gl security name: security enabled: true type: Admin owningPublisher: isolation: Custom channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx retention: false autoBackup: false maxSize: 419430400 publishing: fileMax: 1
- The channelAccess value, starting with O:BAG, contains the security principals for accessing the Security log. Keep a copy of this string on one side.
- If the above value does not contain (A;;0x1;;;NS) then add it onto the end, to create a string looking like below. This grants permissions to the NETWORK SERVICE account:
Create a Group Policy Object for Event Forwarding
Now you have determined what the correct permissions should be for the Security log, these permissions, along with the forwarding settings, must be made available to workstation devices. This is simple using Group Policy Objects (GPO).
Create the Group Policy Object
- On a domain controller, open Group Policy Management.
- Right-click the appropriate Organisational Unit (OU) in the tree on the left and click Create a GPO in this domain and Link it here.
- When prompted, enter an appropriate name, like Event Forwarding, and click OK.
Set Security Log Permissions
- Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service > Security
- Open the Configure log access policy object
- Enable it, and paste the new permission string from above into the Log Access section.
- Click OK once done.
Set Event Forwarding Target
- Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding
- Open the Configure target Subscription Manager policy object
- Enable it, and click the Show button next to SubscriptionManagers.
- For each server that you wish for events to be forwarded to, enter a line like one of the ones below for either HTTP or HTTPS (note the different port number!), entering the correct hostname and specifying a Refresh interval that suits your environment in seconds:
- Click OK once done.
Create Central Event Subscriptions
Once the above GPO is applied to your workstations, the machines will poll into the specified servers at the specified refresh interval for new subscriptions.
Subscriptions determine which events will be captured, and where those events should be redirected to. Multiple subscriptions can be created and targeted to different machines. For the purpose of this example, we will create a single subscription for logon/logoff events.
On each server that you will be collecting logs on:
- Open Event Viewer.
- Navigate to: Subscriptions.
- On the right, click Create subscription.
- In Subscription name, enter an appropriate name, like Logon and Logoff Events.
- In Destination log, select Forwarded Events.
- In Subscription type and source computers, select Source computer initiated.
- Click Select Computers and then click Add Domain Computers.
- When prompted, enter Domain Computers into the box and click OK twice.
- Click Select Events and navigate to the XML tab.
- Check the Edit query manually checkbox.
- Paste the following into the text area, replacing XXX with your domain's NetBIOS/short name:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[ System[(EventID='4624')] and EventData[Data[@Name='SubjectDomainName']='XXX'] and EventData[Data[@Name='TargetDomainName']='XXX'] and EventData[ Data[@Name='LogonType']='2' or Data[@Name='LogonType']='10' or Data[@Name='LogonType']='11'] ] </Select> </Query> <Query Id="1" Path="Security"> <Select Path="Security"> *[ System[(EventID=4647)] ] </Select> </Query> </QueryList>
- Click OK.
- Click Advanced, and then select the options appropriate to your environment (HTTP vs. HTTPS, bandwidth vs. latency etc.)
- Click OK.
If created properly, the new subscription should show with a green tick icon. The Forwarded Events log should eventually start to receive events forwarded from the workstations when the users are logging on and off, and the "Source Computers" column will be updated accordingly.