Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

On each source computer (e.g. Windows AD), from where logs are expected to be forwarded,type the following at an elevated command prompt:

PS C:\Users\Administrator>winrm quickconfig

  • Log on to the source computer (e.g. Windows AD) as administrator, open a command or PowerShell prompt, and run the command below

...

  • :

PS C:\Users\Administrator>winrm quickconfig

Image Added

  • To determine the current channel access permissions, run the command below:

PS C:\Users\Administrator>wevtutil get-log security

Image AddedThis outputs the following

name: security

enabled: true

type: Admin

owningPublisher:

isolation: Custom

channelAccess:

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

logging:

 logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

 retention: false

 autoBackup: false

 maxSize: 20971520

publishing:

fileMax: 1

The Security Identifier (SID) for the Network Service account is S-1-5-20.  Add it to the SDDL as shown here using wevtutilset-log command with the /ca (channel access) parameter to give the account read permission on the Security Event Log.

Now run below the following command on each source computers:

PS C:\Users\Administrator>wevtutil set-log security ‘/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)’

Image Added


After running the set-log security command:

Image Added

The links below provide more details on how to perform the above steps

...

https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2


Ref link: Image AddedWindows Event Collector Tutorial - Andy's Tech Blog