A customer had asked me if it was possible to collect logs centrally using WEC (Windows Event Collection) to reduce the amount of WinRM or Windows Legacy Collectors that were needed. I hadn't heard of WEC so it took me a while to understand it and test it out in a lab.
This post is about what I did to make it work in my lab and see how it works and what limitations it might introduce if its the collection method of choice for some or all Windows events in your environment.
In Short,
Pro: it looks like a simple way to collect logs from assets that might change address regularly (DHCP assets or cloud environments where assets are spun up and torn down frequently) or for specific compliance assets (PCI/SOX).
Con: The logs have the device.ip as the collector not the true source so any alerts that use device.ip will not work as expected. The alias.host and event.computer do reflect the true client system so you could use those instead.
** I can't vouch for the security of what I did to make this work, I'm and SE not a Windows Security expert so if you have found a more secure way to accomplish this please comment and i'll test it out and update the post with details **
WEC can be set up in either collector initiated or source initiated. Collector was chosen for this test.
- Collector machine in this test was Server 2012R2 DC
- Clients were mix of Win7,Win8, Win10, Server 2K8R2
Collector
Computer Management (as admin) > System Tools > Event Viewer > Subscriptions > Create Subscription
Create subscription name
Destination Log: Forwarded Events
Collector Initiated
select Computers > pick the computers from the domain to add to the list or the computer group where they will reside
Events to collect:
select the event logs to collect (App, Sys, Security, Powershell)
Change User account
There was some difficulty in making a service account and accessing the Security Logs so ended up using a machine account and leaving the event delivery as Normal
Now you collection is ready
Clients
Enable WinRM service and network connections to the service by opening cmd.exe (as admin)
winrm qc
select yes to enable service and network ports
Now add the machine account and network service account to allow access to the Security Events
Computer Management (as admin) > local user and groups > groups > event log readers
Add the Network Service Account