In 2008 Microsoft released Windows Event Forwarding (WEF) for free as a standardized approach to collect Windows logs in a way that is efficient and scalable. With a few simple commands and a virtual machine acting as a Windows Event Collector (WEC), all Windows logs can be centralized into one location in minutes. Nevertheless, many still face challenges in making changes to their environment and configuring WEF and would rather use a wizard-based software solution. Continuing our blog series on sourcing Windows logs including with NXLog. This post will walk you through configuring WEF using Supercharger.
Supercharger is a tool that can be used to help set up, configure, and monitor a Windows Event Collection environment in a single pane of glass view. Supercharger was created by Randy Franklin Smith of Ultimate Windows Security fame and it simplifies the effort it takes to monitor a Windows environment. It can take less than an hour to configure logging of the entire Windows environment (depending on its size). The base software license is free to use and by selecting Exabeam UEBA as the SIEM in the request form, you can enjoy a 60-day licensed copy of the Enterprise version provided by email as well.
Problem and challenges
There are a lot of steps involved in setting up native WEF. This will typically require significant involvement from the Windows admins in the organization to set audit policy, open firewall rules, configure services, modify user permissions, create subscriptions, and push group policy. There are some caveats as well depending on the Windows server version. There will also be a need to deploy an agent to collect the logs on the WEC server(s) which often is the Domain Controller. Often, the biggest challenge in getting WEF configured is finding time from the Windows admins to make the necessary changes.
Supercharger simplifies this process. It allows the implementation of native Windows Event Collection quickly and through a guided wizard-based setup. Moreover, it provides additional functionality above and beyond what is available with native WEF such as: load balancing, pre-built security filters with noise suppression, and management of subscriptions. This solution can be used to manage very large WEC environments spanning over 100,000 endpoints and multiple domains. This will help avoid the push back from Windows admins who resist using agents and will reduce the burden of installing and updating agents.
Solution and other considerations
Make sure to review the Supercharger page for the latest requirements but the software can be installed on any version from Microsoft Windows Server 2012 onwards.
Fill out the form to download the installer. Extract the .zip file and run the installer on the WEC server that will serve as a manager. Once it completes this pop-up web page will appear:
It is a good idea to go through the Quick Start process and check off items as they are completed:
Create and/or update the GPO and follow the outlined steps to configure it.
Once complete run the following command on the WEF servers from command prompt if needed to push the policy:
Now that the policy is configured, create the subscription and follow the outlined steps.
Provide a name and specify a destination log on the WEC server where the logs will be saved. Typically Forwarded Events will be used for this purpose.
Please select a policy.
The default should be fine unless there are specific requirements in your environment that need to be satisfied.
The knowledge base has a lot more information on what is included in the subscription policies.
Click Add. Then search for the computer(s) in scope. This can be individual computers or a computer group that has been created. Click Add Forwarder when done.
Select a filter from the dropdown or manually define one. The Exabeam UEBA filter will choose the key event IDs that are recommended by Exabeam. The knowledge base has a lot more information on the different options for managed filters.
Click Add Subscription and/or Submit to create the subscription.
Verify that the forwarder(s) are showing up as intended.
You should now have a functioning WEF/WEC setup with Supercharger managing the subscriptions. Load balancing and other capabilities can be enabled as well if required.
I hope you found this article useful for centralizing all your Windows logs. Let us know if there are other topics you want us to write about in our blog.
You can check out the rest of the articles in our how-to logging series.