Uncategorized, Windows

Windows 2012 Eventforwarder

We can configure Windows 2012 (feature started in 2008) server as a Event Collector in a network.

This will enable the Server to collect the events central.

Our SIEM Project seems not reaching anywhere and we have planned to implement Event collector as a temporary work around.

How to configure Event Collector

Configuring the event source computer

  1. Run the following command from an elevated privilege command prompt on the Windows Server domain controller to configure Windows Remote Management:

winrm qc -q

  1. Start group policy by running the following command:

%SYSTEMROOT%\System32\gpedit.msc

  1. Under the Computer Configuration node, expand the Administrative Templates node, then expand the Windows Components node, then select the Event Forwarding node.
  2. Right-click the SubscriptionManager setting, and select Properties. Enable the SubscriptionManager setting, and click the Show button to add a server address to the setting. Add at least one setting that specifies the event collector computer. The SubscriptionManager Properties window contains an Explain tab that describes the syntax for the setting.
  3. After the SubscriptionManager setting has been added, run the following command to ensure the policy is applied:

gpupdate /force

Configuring the event collector computer

  1. Run the following command from an elevated privilege command prompt on the Windows Server domain controller to configure Windows Remote Management:

winrm qc -q

  1. Run the following command to configure the Event Collector service:

wecutil qc /q

  1. Create a source initiated subscription. This can either be done programmatically, by using the Event Viewer, or by using Wecutil.exe. For more information about how to create the subscription programmatically, see the code example in Creating a Source Initiated Subscription. If you use Wecutil.exe, you must create an event subscription XML file and use the following command:

wecutil cs configurationFile.xml

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s