Forward On-Premises Windows Security Event Logs to Microsoft Sentinel with Azure Monitoring Agent (AMA) Agent
Original Credit: Paul Bergson
Enhanced by D. Edwards
Windows Event Forwarding (WEF) isn’t something new, I believe it has been around for more than 20 years, but the ability to query has never been its strong point, plus storage can be an issue. Having the ability to get access to all of the enterprises Windows Event logging data without having to load a client (WEF is built into the o/s) has two major advantages.
No agent management
Imagine a customer with close to 200,000 endpoints and having to maintain the installed client base, that could be a real headache and client costs are very high (I am working with such a scenario). A WEC server can’t have that large of a number of clients so it has to be split out, and I have been asked “how many clients could connect to a single WEC server?” There is no precise answer to that question. Since there are many factors that enter into that question. Size of WEC server, amount of traffic being sent,… I have seen that the number of a clients that a WEC server can handle, could go as high as 10,000 clients but again the environment factors enter into this.
Once one or more WEC server have been stood up then you will need to add an “Azure Arc” connection to Azure, so Microsoft Sentinel can “Connect” to the WEC server. The Microsoft Sentinel connector “Windows Forwarded Events (Preview)” requires AMA, as it is not supported for MMA, and AMA requires the deployment of Azure Arc.
This will then provide the customer complete access to the logs from the hosts that exist outside of Azure (On-Premises, AWS, GCP for example) that were aggregated with WEF.
Below I have walked through the steps needed to help deploy a WEF to Microsoft Sentinel infrastructure.
Windows Event Forwarding Log Collector to Microsoft Sentinel Rollout
There is no need to load an agent on every device to capture the Windows Security Event Logs from your on-premises Windows workstations & servers. Windows hosts already have this built into the operating system. To capture the events without having to load the Azure Monitoring Agent (AMA) the Windows Event Forwarding process can be used to send logs to a “Windows Event Collector” (WEC). The WEC will then need the AMA loaded to send the events to a Log Analytics Workspace (LAW) that is monitored by Microsoft Sentinel.
Note: Microsoft Sentinel must be enabled/deployed prior to the deployment of the AMA agent.
From a high-altitude view:
- Deploy Microsoft Sentinel
- Build a Windows Event Collector (WEC) server to host the security event logs from client (source) computers
- Create a Group Policy to define where the clients are to request the logs and events (Subscription), they are to send to the WEC
- Create a subscription on the WEC to define what logs and events to receive
- For on-premises WEC server(s), enroll it/them in the Azure Arc service
- Add the Microsoft Sentinel, “Windows Forwarded Events (Preview)” connector
- Define the WEC hosts
- Define the “Forwarding Event Logs” log to collect from
- Browse/Query (KQL) the LAW for Security Events
High Level Steps in Graphic Format
Create and Push GPO To Clients So They Can Find the WEF Collector
Clients Request WEF Policy from WEF Server
WEF Collector Pushes Policy to Clients
Clients Continuously Push Security Events to WEF Collector
Collected Security Events are Continuously Forwarded to the Azure Log Analytics Workspace
Building a Windows Event Collector
This is a resource requirement. The size of the host will depend on the number of source clients and logs being forwarded to the WEC.
“You deploy EventLog Forwarding in a large environment. For example, you deploy 40,000 to 100,000 source computers. In this situation, we recommend that you deploy more than one collector that has 2,000 clients to not more than 4,000 clients per collector.
Note: AMA can handle up to 5,000 EPS, but be aware that it is important to have enough WEC servers as if the limit of EPS is reached the agent won’t be able to handle the load.
Additionally, we recommend that you install at least 16 GB of RAM and four (4) processors on the collector to support an average load of 2,000 to 4,000 clients that have one or two subscriptions configured.
Fast disks are recommended, and the ForwardedEvents log can be put onto another disk for better performance.
The memory usage of the Windows Event Collector service depends on the number of connections that are received by the client. The number of connections depends on the following factors:
- The frequency of the connections
- The number of subscriptions
- The number of clients
- The operating system of the clients
For example, for the default values of 4,000 clients and five to seven subscriptions, the memory that is used by the Windows Event Collector service may quickly exceed 4 GB and continue to grow. This can make the computer unresponsive.”
Best practice of configuring EventLog forwarding performance - Windows Server | Microsoft Docs
Ensure Events can be forwarded if running on a Windows Server
You configure a Windows Server 2019 or Windows Server 2016 computer as an event collector. You also configure a source-initiated subscription (and related Group Policy Objects) for event forwarding. However, the events are not forwarded and the event source computers log event messages that resemble the following:
Log Name: Microsoft-Windows-Forwarding/Operational
Event ID: 105
Task Category: None
User: NETWORK SERVICE
The forwarder is having a problem communicating with subscription manager at address http://W19SRV.contoso.com:5985/wsman/SubscriptionManager/WEC. Error code is 2150859027 and Error Message is The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol.
This behavior is caused by the permissions that are configured for the following URLs:
On the event collector computer, both the Windows Event Collector service (WecSvc) and the Windows Remote Management service (WinRM) use these URLs. However, the default access control lists (ACLs) for these URLs allow access for only the svchost process that runs WinRM. In the default configuration of Windows Server 2016, a single svchost process runs both WinRM and WecSvc. Because the process has access, both services function correctly. However, if you change the configuration so that the services run on separate host processes, WecSvc no longer has access and event forwarding no longer functions.
To view the URL permissions, open an elevated Command Prompt window and run the command netsh http show urlacl.
To fix the URL permissions, use the elevated Command Prompt window and run the following commands:
netsh http delete urlacl url=http://+:5985/wsman/
netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
netsh http delete urlacl url=https://+:5986/wsman/
netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)”
Create a Group Policy Object (GPO) and link it to an Organization Unit (OU)
WEF uses WINRM, which uses ports 5985 for http or 5986 for https. Ensure that you have the winrm service running on clients before you start capturing traffic. Winrm is started by default on Windows Server 2008 and beyond.
If the goal is to capture the Security event logs as one of the logs (In our demo we will need to capture the Security Event Logs), then it will be required to grant the “Network Service” access to the Security event log, by default access is denied. From an Active Directory domain machine, run the following command, from an elevated command line:
wevtutil gl security
This will list out the ACL’s defined on the Security Event Log. Look for “channelAccess” the "O:BAG:SYD:" is where the permissions on the log are stored. Copy from the O through the last parenthesis and paste it into Notepad. If there isn’t a (A;;0x1;;;NS) on the end like the example below, then append that on to the line in Notepad. This last part provides the Network Service (NS), access to the Security Event log.
Start up Group Policy Management Editor
There are 2 settings that will need to be added, to point the clients to the WEC server:
Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding>Configure target subscription manager
This will need to be updated with the address of your WEC server in the format shown below:
Replace the red highlighted area with the fqdn of the WEC server.
Note: “Server=” is needed in the line defined above
The refresh interval on the end indicates how often clients should check in to see if new subscriptions are available. In this example 60 seconds is extremely chatty, but during testing you only have to wait 1 minute for updated configuration. Setting to hourly (Refresh=3600) in production should work just fine.
Once the defined WEC has been completed, the Network Service needs to be granted access to the Security Event Log. This step is not needed if you won’t be reading that log file.
Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service > Security > Configure log access
From a previous step where the Security Event log permissions were built and stored in Notepad, this value will now be updated in the GPO.
Note: This will replace any previous settings on this Event Log, so just be aware of this update.
Once this GPO has been built, it will be up to the admin to decide how to apply the policy to the workstations/servers so they can check in with the WEC server to get the subscription definition.
Create a WEC subscription
Now that client GPO has been defined a subscription needs to be built to tell these clients what logs and Events should be “Forwarded”.
From the WEC server, start up “Event Viewer”.
Right click on “Subscriptions” and select “Create Subscription...”.
- “Subscription name:” Enter a unique name for the subscription (try to avoid spaces)
- “Description:” is optional
- “Destination log:” Select the log file “Forwarded Events”
- Select “Source Computer Initiated”
- Click on “Select Computer Groups…”
Select the “Add Domain Computers” button and walk through the Active Directory (AD) picker to populate the Computers to be added. In the example below, there are just individual machines but AD groups can also be used. Once all objects have been selected click the “Ok” button”
From the “Subscription Properties” main page, click on the “Select events” button.
The “Query Filter” page allows the admin of the filter the ability to only forward events interested in capturing. This filter will be used by all client subscribers that are forwarding events. These events will all be sent to the WEC server. If the admin would like the WEC server to capture all events but filter this list before sending to Microsoft Sentinel, there is a second filter definition on the Microsoft Sentinel connector.
Note: Events are continuously sent to the WEF collector
Once filtering has been completed, select “Ok” and select “Ok” again on the Subscription properties page.
Create firewall rule to allow traffic on port TCP/5985 by running the following command in Administrator command prompt:
netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow service=any enable=yes profile=any localport=5985 protocol=tcp
Ensure WinRM is listening on IP 0.0.0.0 port 5985:
netstat -nao | findstr "5985" TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
If instead you get the following output then the firewall will block remote TCP connections to WinRM thus breaking the Event Log Forwarding because it's only listening on 127.0.0.1:
netstat -nao | findstr "5985" TCP 127.0.0.1:5985 127.0.0.1:0 LISTENING 4
Verify WinRM listener is listening only on IP 127.0.0.1 by running the following command in Administrator command prompt:
netsh http show iplisten IP addresses present in the IP listen list: ------------------------------------------- 127.0.0.1
To solve the issue, remove the 127.0.0.1 listener by issuing the following command in Administrator command prompt:
netsh http delete iplisten ipaddress=127.0.0.1
Verify 127.0.0.1 is no longer listening:
netsh http show iplisten IP addresses present in the IP listen list: -------------------------------------------
Waiting approximately 15 minutes (After the GPO has applied to the clients), the “Forwarded Events” log should begin to populate from subscribers to the WEC subscription.
If you look closely at the screen capture below you will see that the “Forwarded Events” log resides on vm2016-01 (DOS prompt), yet the reporting in the event itself belongs to VM2019DC-01.
Enroll WEC server(s) into Azure Arc services
In order to capture events within Microsoft Sentinel, there has to be a connection to the Log Analytics workspace that Microsoft Sentinel monitors. To do this we need to enroll our WEC server into Azure Arc. This is completed by installing the Azure Monitor Agent.
- Log onto the Azure portal:
- From the search portal enter, “Servers - Azure Arc” and select this to go to the “Servers - Azure Arc” blade.
- Click on “+ Add”
- For this initial trial rollout, select the “Generate Script” from the “Add a single server” box.
- Select “Next”
- Complete the Resource Details and click on “Next”
Note: In the example from my lab below, I am using a “Public” endpoint. I would strongly encourage organizations to not expose ANY log files on the public internet!
- Enter any required “Tags” for your organization and select “Next”
- Select the “Download” button
- Select the “Copy” button
- The “Download” button will probably be blocked by your organization
- From the on-premises WEC collector desktop, open a script editor (Notepad for example) and paste the contents of the clipboard and save it as “WEC-Sentinel.ps1”.
- Open an elevated PowerShell command prompt
- Change directories to where you saved “WEC-Sentinel.ps1”
- Execute the script: .\WEC-Sentinel.ps1
- You will be prompted to sign into a web browser and enter a code
- Follow the on screen prompts to logon and approve the joining of this machine to Azure Arc
- Move back to the “Servers – Azure Arc” blade, hit refresh and the newly onboarded host should now be a part of this subscriptions “Azure Arc” as seen with the Data Collector (“vm2016-01”) below.
Add the Microsoft Sentinel, “Windows Forwarded Events (Preview)” connector
Once events are being collected, the events now need to be imported into a “Log Analytics Workspace” (LAW) for Sentinel to be able to monitor and report on them.
- Log onto the Azure portal:
- Select Microsoft Sentinel
- Select the “Data Connectors” blade
- Select the LAW that you would like to aggregate events to from the WEC
- Enter “Windows Forwarded Events” in the “Search by name or provider” box
- Click on “Windows Forwarded Event”
- Select “Open connector page”
- Select “+Add data collection rule”
- On the “Basics” tab enter
- “Rule Name”, “Subscription” and “Resource Group”
- On the “Resources” select the “+Add Resource(s)”
- Browse to the “Collector(s)” that will be capturing on-premises Security event logs
- Click the “Apply” button
- On the “Collect” tab select the “+Add Resource(s)”
- Browse to the on-premises Data Collector (VM2016-01)
- Select the “Apply” button
If you wish to send ALL events
- Select All Events
- Click the “Next” button
If you wish to send Custom Events
- Select Custom and in the resultant box enter a separate expression like below for each Event ID you wish to filter:
- Click the “Create” button
Browse the LAW for Security Events
- Log onto the Azure portal:
- Select Azure Sentinel
- Select the LAW
- Select the “Logs” blade
- Close the “Favorites” query page
- To query the WEF logs imported into Microsoft Sentinel, the administrator can open a KQL query with the “WindowsEvent” table
- There are 3 hosts that are currently reporting to my LAW, which is defined within the WEC subscription(s)
Most issues can be troubleshot by navigating to each log source's Event Viewer and navigating to Application and Services Logs > Microsoft > Windows > EventLog - ForwardingPlugin > Operational and analyzing the errors.