Setting up a Windows Event Collector (WEC) on Linux (2023)

Windows Event Forwarding (WEF) is a service available on Microsoft Windowsplatforms which enables the forwarding of events from Windows Event Log toa central Windows Event Collector. Since the technology is built into theoperating system, this means you can centralize log collectionwithout having to install third party software on each Windowsnode. You can also use Group Policy for configuring clients to forward theirevents. This approach not only standardizes client management but alsostreamlines it.

Unfortunately there is one caveat. Events are sent over the WS-Eventing protocol(part of theWS-Managementprotocol) and this typically limits the Windows Event Collector to a Windowsserver, which may not be practical in environments where Windows servers arenot common. NXLog Enterprise Edition addresses this problem through itsWindows Event Collector (im_wseventing)module, allowing a Windows Event Collector to be set up on GNU/Linuxsystems.

In this post, we will show you how to set up a WEC server onLinux using either Kerberos or certificate-based authentication. Theseinstructions have been verified on RHEL/CentOS 8 and Ubuntu 20.04 for the WECserver, and on Microsoft Windows Server 2016 for Active Directory and WEFclients. Note that the steps may differ on other versions and operating systems.

Going forward, we will refer to the Linux host where NXLog Enterprise Edition isinstalled as the WEC server and the Windows machine forwarding events to it asthe WEF client.

Configure a WEC server with Kerberos authentication

These steps will guide you through setting up Kerberos authentication,configuring a WEC server, and forwarding events to it from a WEF client. Thisexample setup uses three distinct hosts:

  • A Windows Active Directory Domain Controller with FQDN dc.example.com andIP address 192.168.0.1.

  • A Windows based DNS server with IP address 192.168.0.2.

  • A Linux host where NXLog Enterprise Edition is installed with hostname linux-wecand IP address 192.168.0.3.

WEC server prerequisites

Before configuring Kerberos authentication, the Linux host acting as aWEC server needs to satisfy the following requirements.

  1. Check that the machine has the correct hostname:

    # hostname

    If the command does not return a value or the value is incorrect, updatethe hostname:

    # hostnamectl set-hostname linux-wec
  2. Configure network settings with the correct DNS server and a static IPaddress.

    To set network settings on RHEL/CentOS (replace ifcfg-enp0s3with the correct interface name):

    # nano /etc/sysconfig/network-scripts/ifcfg-enp0s3

    Set to:

    BOOTPROTO=staticIPADDR=192.168.0.3NETMASK=255.255.255.0GATEWAY=192.168.0.1DNS1=192.168.0.2

    To set network settings on Ubuntu 18.04 and newer:

    1. Open the Netplan YAML configuration file (replace the filename with therelevant one on your system):

      # nano /etc/netplan/01-network-manager-all.yaml
    2. Set to (replace enp0s3 with the correct interface name):

      network: version: 2 renderer: NetworkManager ethernets: enp0s3: dhcp4: no addresses: - 192.168.0.3/24 gateway4: 192.168.0.1 nameservers: addresses: [192.168.0.2]

      Note that using correct indentation is very important or the settings will notbe applied.

    3. Apply the changes:

      # netplan apply
  3. Synchronize the time with the domain controller.

    To synchronize the time using NTP execute the following command:

    # ntpdate dc.example.com

    To synchronize the time using chrony:

    1. Open the chrony configuration file with a text editor:

      # nano /etc/chrony.conf
      (Video) How to Set up Windows Event Log Forwarding [Step-by-Step]
    2. Replace the current server or pool with the following line:

      server dc.example.com iburst

Create and map an Active Directory domain user

For a WEC server on a Linux machine to be able to use Kerberos authentication,a corresponding user needs to be created in Active Directory and mappedto a Kerberos principal name.

  1. On the domain controller, create a new user with its logonname matching the hostname of the WEC server.

    1. Go to Administrative Tools > Active Directory Users and Computers >example.com > Users.

    2. Right click and choose New > User.

      1. First name: linux-wec

      2. Full name: linux-wec

      3. User logon name: linux-wec

      4. Set a password for the user.

      5. Uncheck User must change password at next logon.

      6. Check Password never expires.

    3. Right click on the new user, click Properties, and open the Account tab.

      1. Check This account supports Kerberos AES 128 bit encryption.

      2. Check This account supports Kerberos AES 256 bit encryption.

  2. On the DNS server, create an A record for linux-wec.example.com.

    1. Go to Administrative Tools > DNS > Forward Lookup Zones >example.com.

    2. Right click and choose New Host (A or AAAA)….

    3. Add a record with name linux-wec and IP address 192.168.0.3.

    4. Check the Create associated pointer (PTR) record option.

  3. Back on the domain controller, open a command prompt and execute thesecommands. Use the same <password> that was specified when the above user wascreated. These commands map the domain account to the Kerberos principalnames and generate two keytab files containing the shared secret.

    > ktpass /princ hosts/linux-wec.example.com@EXAMPLE.COM /pass <password> /mapuser EXAMPLE\linux-wec -pType KRB5_NT_PRINCIPAL /out hosts-nxlog.keytab /crypto AES256-SHA1
    > ktpass /princ http/linux-wec.example.com@EXAMPLE.COM /pass <password> /mapuser EXAMPLE\linux-wec -pType KRB5_NT_PRINCIPAL /out http-nxlog.keytab /crypto AES256-SHA1
  4. Copy the resulting hosts-nxlog.keytab and http-nxlog.keytab files tothe WEC server.

Configure Kerberos on the WEC server

Now that the Active Directory user has been created and mapped to the principalname, the WEC server can be configured for Kerberos authentication.

  1. Confirm that the Kerberos krb5 client and utility software are installed onthe WEC server. The required package can be installed withyum install krb5-workstation or apt install krb5-user.

  2. Edit the default Kerberos configuration file, usually located at/etc/krb5.conf.

    1. In section [domain_realm] add:

      .example.com = EXAMPLE.COMexample.com = EXAMPLE.COM
    2. In section [realms] add:

      EXAMPLE.COM = { kdc = example.com admin_server = example.com}
  3. Use ktutil to merge the two keytab files generated above.

    # ktutilktutil: rkt /root/hosts-nxlog.keytabktutil: rkt /root/http-nxlog.keytabktutil: wkt /root/nxlog-result.keytabktutil: q
  4. Validate the merged keytab.

    # klist -e -k -t /root/nxlog-result.keytabKeytab name: FILE:/root/nxlog-result.keytabKVNO Timestamp Principal---- ------------------- ------------------------------------------------------ 5 17.01.2021 04:20:08 hosts/linux-wec.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 4 17.01.2021 04:20:08 http/linux-wec.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
    (Video) Setting up event forwarding.
  5. Either copy the keytab into place, or merge it if there are already keys in/etc/krb5.keytab.

    • To copy the keytab:

      # cp /root/nxlog-result.keytab /etc/krb5.keytab
    • To merge the keytab and validate the result:

      # ktutilktutil: rkt /etc/krb5.keytabktutil: rkt /root/nxlog-result.keytabktutil: wkt /etc/krb5.keytabktutil: q
      # klist -e -k -t /etc/krb5.keytabKeytab name: FILE:/etc/krb5.keytabKVNO Timestamp Principal---- ------------------- ------------------------------------------------------ <other entries> 5 17.01.2021 04:20:08 hosts/linux-wec.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 4 17.01.2021 04:20:08 http/linux-wec.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
  6. Verify that the user account used by the NXLog service has sufficientprivileges to open and read the /etc/krb5.keytab file. If not, Kerberosauthentication will fail.

  7. Test that the authentication with Active Directory is working successfullywhen using the keytab. Run the following command on the Linux WEC server.If the configuration is correct a ticket-granting ticket (TGT) will becreated and cached. This command should be invoked with the same user thatthe NXLog service runs as. By default, it uses the nxlog useraccount.

    # kinit -kt /etc/krb5.keytab http/linux-wec.example.com@EXAMPLE.COM
  8. Verify the ticket was obtained by running klist as the same user from theprevious step:

    # klistTicket cache: KCM:0Default principal: http/linux-wec.example.com@EXAMPLE.COMValid starting Expires Service principal28/01/21 11:41:44 28/01/21 21:41:44 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 04/02/21 11:41:44

Configure NXLog to receive events

Once you verify that Kerberos authentication is working successfully, the nextstep is to configure NXLog with theWindows Event Collector (im_wseventing)module to receive events from WEF clients.

  1. Open the NXLog configuration file with a text editor. On Linux thedefault location is /opt/nxlog/etc/nxlog.conf.

  2. Add an input module instance of im_wseventing as follows. This configurationuses all network interfaces to listen for connections on port 80, andfilters for events from the Application, Security, and System channels.

    nxlog.conf

    <Input windows_events> Module im_wseventing Address http://linux-wec.example.com:80/wsman ListenAddr 0.0.0.0 Port 80 <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="System">*</Select> </Query> </QueryList> </QueryXML> # Log connections for testing and troubleshooting LogConnections TRUE</Input>

    Note

    Make sure the port defined in the im_wseventing configuration isaccessible from the WEF clients. The local firewall rules on the LinuxWEC server may need to be updated.
  3. Restart the NXLog service:

    # systemctl restart nxlog

Configure the WEF client to send events to NXLog

Finally, WEF clients can be configured to forward their events to the newlyset up WEC server. Follow these steps to enable WEF on a singleWindows node by editing the local policy.

  1. Open the Group Policy MMC snap-in (gpedit.msc) and go toComputer Configuration > Administrative Templates >Windows Components > Event Forwarding.

    Setting up a Windows Event Collector (WEC) on Linux (1)

  2. Right-click the Configure target Subscription Manager setting and selectProperties. Enable the setting, and under Options click theShow button to add a server address.

    Setting up a Windows Event Collector (WEC) on Linux (2)

  3. Add at least one setting that specifies the NXLogWEC server. The SubscriptionManager Properties windowcontains a Help pane that describes the syntax for thesetting. An example would be as follows:

    Server=http://linux-wec.example.com:80,Refresh=30

    Setting up a Windows Event Collector (WEC) on Linux (3)

    Note

    The Refresh interval represents the time in seconds and on productionsystems should be set to a higher value e.g. Refresh=1200.
  4. After the SubscriptionManager setting has been added, ensure the policy isapplied by running:

    > gpupdate /force
  5. If you are planning to forward security events, you will need to grant theNetworkService account access to the Security log. SeeForwarding events from the Security login the NXLog Enterprise Edition Reference Manual for instructions.

  6. At this point the WinRM service on the Windows client should connect toNXLog. If the LogConnections directive is set to TRUE in theNXLog configuration, a connection attempt should be logged innxlog.log and you should start seeing events as they arrive.

Configure a WEC server with certificate-based authentication (HTTPS)

These steps will guide you through generating the required certificates usingOpenSSL, setting up a WEC server with HTTPS, and forwarding events to it froma WEF client. This example setup uses two distinct hosts:

  • A Linux host where NXLog Enterprise Edition is installed with hostname linux-wec.

  • A Windows host which will be configured as a WEF client with hostnamewinclient.

Generate the certificates

To facilitate the generation of certificates using OpenSSL, scripts areavailable in ourpublic git repository.

  1. Download the scripts to the Linux WEC server. You may want to edit the subjectparameters according to your environment.

  2. Generate the CA certificate and private key.

    # ./genca.sh
  3. Generate the WEF client certificate and export it together with the CA in PFXformat. This is the certificate that you will need to import into the Windowscertificate store on the WEF client later on.

    # ./gencert-client.sh winclient.example.com
  4. Generate the WEC server certificate to be used by the NXLogconfiguration. Make sure that the hostname you specify matches the reverseDNS name of the WEC server, otherwise you may encounter errors whenconfiguring the WEF client because the SSL certificatecontains a common name (CN) that does not match the hostname.

    # ./gencert-server.sh linux-wec.example.com

If you are using an intermediary CA you will need to make sure that theca-cert.pem file contains the public part of every issuer’s certificate in thecorrect order. The easiest way to achieve this is to 'cat' the pemcertificates together.

If you do not use the provided scripts to generate the certificates, make surethat the following requirements are met:

  • The WEF client certificate must have theX509 v3 Extended Key Usage: TLS Web Client Authentication extension.

  • The WEC server certificate must have theX509 v3 Extended Key Usage: TLS Web Server Authentication extension.

  • Make sure that the intended purpose of the certificates are set to ClientAuthentication and Server Authentication respectively.

Configure NXLog to receive events

Once the certificates have been generated, the next step is to configureNXLog with theWindows Event Collector (im_wseventing)module to receive events from WEF clients.

  1. Open the NXLog configuration file with a text editor. On Linux thedefault location is /opt/nxlog/etc/nxlog.conf.

  2. Add an input module instance of im_wseventing as follows. This configurationuses all network interfaces to listen for connections on port 5985, andfilters for events from the Application, Security, and System channels.

    nxlog.conf

    <Input windows_events> Module im_wseventing Address https://linux-wec.example.com:5985/wsman ListenAddr 0.0.0.0 Port 5985 HTTPSCertFile /path/to/server-cert.pem HTTPSCertKeyFile /path/to/server-key.pem HTTPSCAFile /path/to/ca-cert.pem <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="System">*</Select> </Query> </QueryList> </QueryXML> # Log connections for testing and troubleshooting LogConnections TRUE</Input>

    Note

    Make sure the port defined in the im_wseventing configuration isaccessible from the WEF clients. The local firewall rules on the LinuxWEC server may need to be updated.
  3. Restart the NXLog service:

    # systemctl restart nxlog

Configure the WEF client to send events to NXLog

At this stage, you are ready to configure WEF clients to forward their eventsto the newly set up WEC server. Follow these steps to configure the WinRMauthentication method and enable WEF on a Windows node.

  1. Make sure the Windows Remote Management (WS-Management) service isinstalled, running, and set to Automatic startup type.

  2. If WinRM is not already installed, see the MSDN documentation onInstallation and Configuration for Windows Remote Management.

  3. Check that certificate-based authentication is enabled for WinRM. Run thefollowing command:

    > winrm get winrm/config/Client/Auth

    This should produce the following output:

     Auth Basic = false Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = true [Source="GPO"]

    If Certificate authentication is set to false, enable it with the followingcommand:

    > winrm set winrm/config/client/auth @{Certificate="true"}
  4. Import the WEF client authentication certificate. Open the Certificates MMCsnap-in for the Local Computer (certlm.msc), right click on Personal andselect All Tasks > Import…​. Import the client.pfx file. Enter theprivate key password if set and make sure theInclude all extended properties check-box is selected.

    Note

    After the import is complete, expand Personal > Certificates and double-click on the WEF client certificate to check if the full certificate chain is available and trusted.
    (Video) Windows Event Forwarding at Scale
  5. The NetworkService account needs to be granted permission to accessthe WEF client certificate. Use theWindows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe)to check if the NetworkService account has the correct access permission:

    > winhttpcertcfg -l -c LOCAL_MACHINE\my -s <certificate subject name>

    Where LOCAL_MACHINE\my refers to the Personal certificate store of theLocal Computer and <certificate subject name> is the CN value that wasspecified when creating the WEF client certificate. For example:

    > winhttpcertcfg -l -c LOCAL_MACHINE\my -s winclient.example.com

    If NetworkService is not listed in the output, grant it permission byrunning the following command:

    > winhttpcertcfg -g -c LOCAL_MACHINE\my -s <certificate subject name> -a NetworkService
  6. If you are planning to forward security events, you will need to grant theNetworkService account access to the Security log. SeeForwarding events from the Security login the NXLog Enterprise Edition Reference Manual for instructions.

  7. Configure the policy on the WEF client to enable event forwarding:

    1. Open the Group Policy MMC snap-in (gpedit.msc) and go toComputer Configuration > Administrative Templates >Windows Components > Event Forwarding.

      Setting up a Windows Event Collector (WEC) on Linux (4)

    2. Right-click the Configure target Subscription Manager setting and selectProperties. Enable the setting, and under Options click theShow button to add a server address.

      Setting up a Windows Event Collector (WEC) on Linux (5)

    3. Add at least one setting that specifies the NXLogWEC server. The SubscriptionManager Properties windowcontains a Help pane that describes the syntax for thesetting. If you have used the gencert-server.sh script the subscriptionmanager string should be in the following format:

      Server=HTTPS://<FQDN of im_wseventing>:<port>/wsman/,Refresh=<refresh interval in seconds>, IssuerCA=<certificate authority certificate thumbprint>

      Setting up a Windows Event Collector (WEC) on Linux (6)

      Note

      On production systems the Refresh interval should be set to a highervalue e.g. Refresh=1200.
    4. To find the IssuerCA fingerprint, open the Certificates MMC snap-in, expandLocal Computer > Personal > Certificates and open the CA certificate.Copy the Thumbprint from the Details tab. Please make sure to eliminatespaces and the invisible non-breaking space that may be present beforethe first character of the thumbprint on Windows 2008.

    5. After the SubscriptionManager setting has been added, ensure thepolicy is applied by running:

      > gpupdate /force
  8. At this point the WinRM service on the Windows client should connect toNXLog. If the LogConnections directive is set to TRUE in theNXLog configuration, a connection attempt should be logged innxlog.log and you should start seeing events as they arrive.

(Video) Windows Event Forwarding and Event Collectors In-Depth

Troubleshooting

The steps in this post aim to provide a working example to set up WindowsEvent Forwarding in practice. However, due to the multitude of componentsrequiring configuration and no two environments being exactly the same, any oneof these factors could result in WEF not working as expected. The best way totroubleshoot WEF is to check for errors in Windows Event Log. The followingchannels provide the most relevant events:

  • Applications and Services Logs/Microsoft/Windows/Event-ForwardingPlugin

  • Applications and Services Logs/Microsoft/Windows/Windows Remote Management

For additional resources, theWindows Event Collector (im_wseventing)documentation in the NXLog Enterprise Edition Reference Manual provides aTroubleshootingsection with tips and solutions for common issues.

Summary

In this post we have seen how using WEF with NXLog Enterprise Edition creates newpossibilities for the centralized log collection of events from Windowsclients in organizations where Windows servers are rare or non-existent.By using theWindows Event Collector (im_wseventing)module, a WEC server can be set up on GNU/Linux to receive events forwarded toit by Microsoft Windows clients.

With both NXLog Enterprise Edition and WEF supporting either Kerberos orcertificate-based authentication, we hope this post provides you with theinformation needed for getting started with configuring a WEC server in yourenvironment, according to your organization’s preferred authentication method.

NXLog Ltd. develops multi-platform log collection tools that support manydifferent log sources, formats, transports, and integrations. The tools helpadministrators collect, parse, and forward logs so they can more easilyrespond to security issues, investigate operational problems, and analyzeevent data. NXLog distributes the free and open sourceNXLog Community Edition andoffers additional features and support with theNXLog Enterprise Edition.

This document is provided for informational purposes only and is subject tochange without notice.Trademarks are the properties of their respective owners.

  • windows logs
  • wef
  • wec
  • linux
  • log collection

Share

Related Posts

Making the most of Windows Event Forwarding for centralized log collection 7 minutes|December 17, 2018 DNS Log Collection - Part 2 9 minutes|May 28, 2020 Sending ETW Logs to Splunk with NXLog 5 minutes|March 3, 2020
(Video) Windows Event Collector clustering with Syslog-ng

FAQs

Setting up a Windows Event Collector (WEC) on Linux? ›

Enabling event collection

The first step is to start the Windows Event Collector service and to configure it to start automatically. You can do this using PowerShell with the command Get-Service Wecsvc | Set-Service -StartupType Automatic -PassThru | Start-Service from an administrative PowerShell prompt.

How to setup a Windows Event Collector Server? ›

Configuring the event collector computer
  1. Run the following command from an elevated privilege command prompt on the Windows Server domain controller to configure Windows Remote Management: winrm qc -q.
  2. Run the following command to configure the Event Collector service: wecutil qc /q.
Jan 4, 2023

How do I enable Windows Event Collector? ›

Enabling event collection

The first step is to start the Windows Event Collector service and to configure it to start automatically. You can do this using PowerShell with the command Get-Service Wecsvc | Set-Service -StartupType Automatic -PassThru | Start-Service from an administrative PowerShell prompt.

How do I set up Windows event forwarder? ›

This is one way to configure Windows Event forwarding.
...
Right-click Subscriptions and select Create Subscription.
  1. Enter a name and description for the subscription.
  2. For Destination Log, confirm that Forwarded Events is selected. ...
  3. Select Source computer initiated and click Select Computers Groups. ...
  4. Click Select Events.
Jan 18, 2023

What is WEC Windows? ›

Windows Event Collection eliminates polling and agents. WEC is built into Windows. It's already there on every system on your network. There's no agent to install. But it's even more efficient than an agent.

How do I host a Windows service on a server? ›

Open Developer Command Prompt for Visual Studio and navigate to the project directory. Type installutil bin\service.exe at the command prompt to install the Windows service. Type services. msc at the command prompt to access the Service Control Manager (SCM).

How to install Windows Log Collector? ›

To install the Log Collector
  1. Download the Log Collector installation package to any server or computer on the network. ...
  2. Double-click the Log Collector icon.
  3. If you are running the installation from a network computer, enter your server administrator credentials when prompted.
May 23, 2022

How to run Windows event log from command line? ›

Here's how you can use the Command Prompt to open the Event Viewer:
  1. Press Win + R to open the Run command dialog box.
  2. Type CMD and press Ctrl + Shift + Enter to open an elevated Command Prompt.
  3. Type eventvwr and press Enter to open the Event Viewer.
Dec 29, 2021

How do I trigger Windows event log? ›

Go to the Windows Monitoring and Management option by selecting the Server, Properties and General tabs. Choose the category of messages to be logged by selecting the appropriate checkboxes. Click Apply. Click OK.

Is Windows Event Collector free? ›

Yes, Windows Event Forwarding (WEF) and the Windows Event Collector (WEC) service are free and already built-in tools since 2003.

How do I connect my Event Viewer to another computer? ›

To select computers in Event Viewer

Right-click Event Viewer (top level). Select Connect to another computer. Type the computer name on which to view Event Logs, and click OK.

How do I forward Windows events to syslog? ›

How to forward Windows event logs to a syslog server (Syslog...
  1. Install EventLog Inspector and run EventLog Inspector Manager.
  2. Make sure the service is running and marked to start automatically.
  3. Switch to Settings tab ad elect the Syslog group.

How to setup Windows script host? ›

To activate or deactivate the Windows Script Host, type regedit.exe in the Run box and press Enter to open the Registry Editor. In the right panel, you will see Enable. If you see 0 entries, it means that Windows Script Host access is disabled on your Windows. Double Click and in Data Value type 1 to activate it.

How do I test Windows event forwarding? ›

Open up a command prompt as administrator and type the following command: eventcreate /id 999 /t error /l application /d "Test event." This will generate a test log in the application event log. Events will arrive in the collector in the Forwarded Events log.

How to configure target subscription manager Windows? ›

On the Windows Server, go to the Control Panel and open the Local Group Policy Editor. Select Computer Configuration > Administrative Templates > Windows Components > Event Forwarding, and then click Configure Target Subscription Manager.

What is the difference between Windows Reliability Monitor and Event Viewer? ›

Whereas Event Viewer allows you to monitor system and application events, Reliability and Performance Monitor (RPM) allows you to monitor and log the reliability and performance of your computer.

How do I run Windows service on network service? ›

3 Answers
  1. In Windows explorer go to the folder containing the binaries of the service.
  2. Right-click on the folder > Properties > Security tab > Edit button.
  3. Add > "NETWORK SERVICE" > OK.
  4. Give it full control (just to test and then reduce permissions till it working)
Aug 15, 2012

Do I need host process for Windows services? ›

The Host Process for Windows is required for most system services to load correctly and thus is an essential component in all versions of Windows. These services are necessary for the normal operation of the operating system.

What is the difference between worker service and Windows service? ›

Both are real services. Windows Services have existed for over 20 years. They start most often at system startup and run permanently. A Worker Service is also a real process, but is intended as a background service for a front-end application; it starts with the application and stops with the application.

Where is Windows Event Collector log? ›

By default, Event Viewer log files use the . evt extension and are located in the %SystemRoot%\System32\winevt\Logs folder.

How do I collect Windows server logs? ›

To run the Log Collector on the server by using the wizard

On the Start page of the server, click Windows Server Essentials Log Collector. If the Log Collector program does not appear on the Start page, browse to %system%\Program Files (x86)\Windows Server Essentials Log Collector, and then double-click LogCollector.

How do I manually install a Windows CAB file? ›

Install CAB file for driver update
  1. Open File Explorer.
  2. Navigate to the folder with the achieve file.
  3. Double-click the CAB file to open it.
  4. Select all the contents (“Ctrl + A” keyboard shortcut).
  5. Right-click the selection and select the Extract option.
  6. Select the folder destination to extract the files.
Jan 18, 2023

How to log events in event log Windows 10 from command line? ›

Launch Event Viewer Windows 10 with CMD. Press Windows + R, type cmd, and hit Enter to open Command Prompt Windows 10 -> Type eventvwr in Command Prompt window, and hit Enter to open Event Viewer.

How do I run Windows Management Console from command line? ›

In the Start menu search bar, type cmd. From the search results, right-click on Command Prompt > Run as Administrator. In the CMD console, type mmc and hit Enter to launch the Microsoft Management Console.

How do I run a Windows command script from the command line? ›

To run a script using a particular engine:

Enter "cscript" or "wscript" on the command line, followed by the script name.

What are the options for Windows event log? ›

Windows Event Logs Types for Security
  • Security Log: These logs keep track of activities that may compromise security, such as failed login sessions or removing important files. ...
  • Application Log: ...
  • File Replication Service Log: ...
  • System Log: ...
  • DNS Server Log: ...
  • Directory Service Log:
Jan 4, 2023

How does Windows Event Collector work? ›

Event collection allows administrators to get events from remote computers and store them in a local event log on the collector computer. The destination log path for the events is a property of the subscription.

What is Windows Collector? ›

A collector is a service running on a Windows server that collects all events sent to it from an event log forwarder. Related:A Complete Guide to Using the Get-WinEvent PowerShell Cmdlet. The “link” between the forwarding server and a collector is known as a subscription.

What tool should you use if you want to query the system event log? ›

As previously noted, the Event Viewer is the native graphical tool used to access the Windows event logs, although many third-party tools are also available. The Event Viewer is divided into three main panes. The pane on the left lists the individual event logs and enables you to select the log you want to view.

How do I manually start Event Viewer? ›

Open "Event Viewer" by clicking the "Start" button. Click "Control Panel" > "System and Security" > "Administrative Tools", and then double-click "Event Viewer"

What is the command to run Event Viewer? ›

Run Event Viewer from Run dialog.

Open Run dialog by pressing Windows+R. Type eventvwr. msc (or eventvwr.exe) and click OK.

How to configure syslog forwarding in Linux? ›

Forwarding Syslog Messages from a Linux Device
  1. Log on to the Linux device (whose messages you want to forward to the IMS server) as a super user.
  2. Enter the command - vi /etc/syslog. conf to open the configuration file called syslog. ...
  3. Enter *. ...
  4. Restart the syslog service using the command /etc/rc.

What is the difference between Windows event log and syslog? ›

When thinking about syslog vs. event log, it helps to remember an event log is a subset of what might be tracked in syslog. Syslog servers capture information from multiple logs and store it in a central location.

How do I export all Windows event logs? ›

How to export event viewer logs?
  1. Open Event Viewer (Run → eventvwr. ...
  2. Locate the log to be exported.
  3. Select the logs that you want to export, right-click on them and select "Save All Events As".
  4. Enter a file name that includes the log type and the server it was exported from.
  5. Save as a CSV (Comma Separated Value) file.

How do I make a Windows script executable? ›

On the Actions menu, click Configure Run Profiles. In the Configure Run Profiles for Management Agent dialog box, in Management agent run profiles, click the run profile that you want to compile into an executable file, and then click Script. In the Save as dialog box, type a name and location for the script.

How do I run a Windows activation script? ›

On a client computer, open a Command Prompt window and run the command Slmgr.vbs /ato . The /ato command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.

How to activate Windows using script? ›

How to Activate Windows 10/11 with CMD
  1. You have to open the command prompt on your system first. Then, click and start and simply type "CMD". Now, run it as administrator.
  2. Type the following command. slmgr /ipk. slmgr /skms kms.xspace.in. Slmgr /ato. Now press enter. This command will activate your Windows 10/11.
Apr 13, 2023

What protocol does Windows event forwarding use? ›

In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with NTLM as a fallback option, which can be disabled by using a GPO).

How do you check if Windows is activated or not remotely? ›

Start by opening the Settings app (Windows + I) and then go to Update & Security. On the left side of the window, select Activation. Then, on the right side, you should see the activation status of your Windows 10 computer or device.

Which Windows event logs to monitor? ›

Events to Monitor
  • Application Allow listing.
  • Application Crashes.
  • System or Service Failures.
  • Windows Update Errors.
  • Windows Firewall.
  • Clearing Event Logs.
  • Software and Service Installation.
  • Account Usage Kernel Driver Signing.
Sep 9, 2020

How do I set up Windows event forwarding? ›

This is one way to configure Windows Event forwarding.
...
Right-click Subscriptions and select Create Subscription.
  1. Enter a name and description for the subscription.
  2. For Destination Log, confirm that Forwarded Events is selected. ...
  3. Select Source computer initiated and click Select Computers Groups. ...
  4. Click Select Events.
Jan 18, 2023

What is subscription-manager command? ›

subscription-manager is a client program that registers a system with the Certificate-Based Red Hat Network. To register your system with RHN Classic or with an RHN Satellite 5. x system, then use the rhn_register tool. Red Hat provides content updates and support by issuing subscriptions for its products.

How to configure Windows AD Server? ›

Right-click on the Start button and go to Settings > Apps > Manage optional features > Add feature. Now select RSAT: Active Directory Domain Services and Lightweight Directory Tools. Finally, select Install then go to Start > Windows Administrative Tools to access Active Directory once the installation is complete.

What are the 5 different types of Windows logs available on the Event Viewer? ›

They are Information, Warning, Error, Success Audit (Security Log) and Failure Audit (Security Log).

Does Event Viewer show CPU usage? ›

Windows does not log CPU usage to the event logs by default. If this is happening on a recurring basis and you'd like to investigate the cause, you'll want to use perfmon. With perfmon you can setup a rolling capture of performance counters that can certainly include per process CPU consumption.

What is the difference between Windows Event 4656 and 4663? ›

The main difference with “4656: A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn't have Failure events. Note For recommendations, see Security Monitoring Recommendations for this event.

How to setup Windows syslog server? ›

Syslog server configuration
  1. Open the rsyslog. conf file and add the following lines. ...
  2. Create and open your custom config file. ...
  3. Restart the rsyslog process. ...
  4. Configure Log Forwarding in the KeyCDN dashboard with your syslog server details.
  5. Verify if you are receiving the logs (log forwarding starts within 5 minutes).
Nov 20, 2020

How to setup syslog in Linux? ›

Configuring syslog on Linux OS
  1. Log in to your Linux OS device, as a root user.
  2. Open the /etc/syslog.conf file and add the following facility information: authpriv.*@ <ip_address> where: ...
  3. Save the file.
  4. Restart syslog by typing the following command: service syslog restart.
  5. Log in to the QRadar Console.

How to configure remote syslog server in Linux? ›

Server Configuration for Remote System Logging
  1. Check if rsyslog is installed. rsyslog is the Syslog daemon that will listen for logs from host. ...
  2. Edit rsyslog's configuration file. ...
  3. Configure the firewall to open the port used by rsyslog. ...
  4. Restart rsyslog. ...
  5. Check if rsyslog is listening on the port opened.
Sep 14, 2020

How do I start a syslog service in Linux? ›

Configuring syslog-ng on Linux OS
  1. Log in to your Linux® OS device, as a root user.
  2. Open the /etc/syslog-ng/syslog-ng. conf file and add the following facility information: ...
  3. Save the file.
  4. Restart syslog-ng by typing the following command: service syslog-ng restart.
  5. Log in to the QRadar Console.

How do I forward Windows events to Syslog? ›

How to forward Windows event logs to a syslog server (Syslog...
  1. Install EventLog Inspector and run EventLog Inspector Manager.
  2. Make sure the service is running and marked to start automatically.
  3. Switch to Settings tab ad elect the Syslog group.

How to install DC in Linux? ›

Setup the Hosts File Entry
  1. Delete unnecessary hosts entry.
  2. Add your domain controller Linux server FQDN and host.
  3. Verify the FQDN and IP resolution.
  4. Disable the DNS resolver service.
  5. Update the DNS resolver file.
  6. Configure the default realm.
  7. Type the Kerberos server hostname.
  8. Type the administrative server hostname.
Oct 6, 2022

Does a DC need to be a DNS server? ›

In a small environment, at least one domain controller (DC) should be a DNS server. It is possible to install DNS on servers which are not DCs, including non-Windows servers, but installing DNS on DCs allows the use of AD-integrated lookup zones (see below), which improve security and simplify zone replication.

Can you use DC as NTP server? ›

Clients can reach the DCs serving as NTP servers using both the NTP and NT5DS protocol [UDP Port 123].

Videos

1. Windows Event Log Forwarding
(Hackveda Limited)
2. BHIS | Intro to Windows Event Collecting | Nick & Noah | 1 Hour
(Black Hills Information Security)
3. ArcSight Smart Connector Installation
(Muhammad Eissa)
4. Windows Event Collector clustering with Syslog-ng
(One Identity by Quest)
5. How to Install Sysmon for Log collection - Windows Machine
(Relative Security)
6. Building a Lab for Detection | Justin Henderson
(SANS Cyber Defense)

References

Top Articles
Latest Posts
Article information

Author: Msgr. Refugio Daniel

Last Updated: 06/10/2023

Views: 6329

Rating: 4.3 / 5 (54 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Msgr. Refugio Daniel

Birthday: 1999-09-15

Address: 8416 Beatty Center, Derekfort, VA 72092-0500

Phone: +6838967160603

Job: Mining Executive

Hobby: Woodworking, Knitting, Fishing, Coffee roasting, Kayaking, Horseback riding, Kite flying

Introduction: My name is Msgr. Refugio Daniel, I am a fine, precious, encouraging, calm, glamorous, vivacious, friendly person who loves writing and wants to share my knowledge and understanding with you.