The use of a centralized log server has often been highlighted in many of today’s security best practices. The constant need to collect, retain and protect these sensitive security event log files sometimes overwhelm security and systems administrators, especially in large corporate environments. When properly configured, security event logs are used to track user activity and access on specific systems or objects, and is a key element when tying to piece up the chain of events leading to a security incident. Many security administrators might know how cumbersome it is to manage such security event log files, and sometimes seek third party vendors to help them manage their security log files. The truth is that many of these problems can be solved using native features of your server operating system.
As a successor to Windows 2003 server, the new windows 2008 server has a security event log forwarding feature natively installed. Windows 2008 breaks up security event forwarding into parts: the source and the collector. The source computer or server is the actual machine in which the security logs are fetched. The collector is the centralized server which collects, consolidates and protects the sensitive event log files. On Windows 2008 server, both source and collector need to be configured so that this feature can be used.
To configure a security event log forwarding on Windows 2008 server, you should log on to the source and collector computers using a domain administrator account.
On the Source computers, you must configure windows remote management by executing the following at the command prompt:
1. winrm quickconfig
This command preforms the following changes to the operating system:
* Sets the WinRM and WinRM Listener services to auto start (which usualy are set to manual)
* Creates Firewall exceptions and application associations for port 80 and 443 with WinRM services.
2. Add the Collectors computer account of the source computer's local Administrators group.
** Group Policy can be used to automatically configuring and deploy multiple sources.
1. wecutil qc
This command will initialize the Windows Event Log Collector on the server. At this point the Collector server is ready to
create subscriptions to multiple sources.
To configure security event subscriptions:
2. Open Event Viewer on the Collector computer, right-click Subscriptions
in the left pane and select Create Subscription.
** Subscriptions can only be established to properly configured Source
computers.
3. Click on select events and choose the event which you want to collect.
In our case, choose the security events.
4. Configure the time and frequency options on the collector server.
By default, the server will subscribe its logs after an event is written.
5. Configure the destination of these log files (ie: repository) this location
should be a WORM (Write Once Read Many) repository.
Advanced Configurations:
You can configure optimal subscription configurations such as bandwith,
protocols and account information. The default values are shown below.
* As a security best practice, personal usernames should not be used to configure this service. Administrators should use the computer account or a special service account to perform the subscriptions. * If by any chance subscription service are configured to use any other port other than port 80 and 443, proper firewall configuration will need to be made at each source.
* As a security best practice, personal usernames should not be used to configure this service.
Administrators should use the computer account or a special service account to perform the subscriptions.
* If by any chance subscription service are configured to use any other port other than port 80 and 443,
proper firewall configuration will need to be made at each source.
Test Event ForwardingIf all of the Event Forwarding components are functioning a test event created on theSource Computer should arrive in the Collector's "Forwarded Events" log within 60 seconds.To create a test event, type in the following command at the command prompt: eventcreate /id 100 /t error /l application /d "Event Forwarding Test" The event should appear on the colletors Forwarded Events as seen below:
Test Event Forwarding
If all of the Event Forwarding components are functioning a test event created on the
Source Computer should arrive in the Collector's "Forwarded Events" log within 60 seconds.
To create a test event, type in the following command at the command prompt:
eventcreate /id 100 /t error /l application /d "Event Forwarding Test"
The event should appear on the colletors Forwarded Events as seen below:
Remember Me