WIXLIB

Event Centralization v4.0Centralizing WindowsEvents with EventForwarding v4.0April 2015Strictly private & confidential

Copyright NoticeThe information contained in this document (“the Material”) is believed to be accurate at the time of printing, but norepresentation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Avecto Ltd, itsassociated companies and the publisher accept no liability whatsoever for any direct, indirect or consequential loss or damagearising in any way from any use of or reliance placed on this Material for any purpose.Copyright in the whole and every part of this document belongs to Avecto Ltd (“the Owner”) and may not be used, sold,transferred, copied or reproduced in whole or in part in any manner or form or in or on any media to any person other than inaccordance with the terms of the Owner’s Agreement or otherwise without the prior written consent of the Owner.2Event Centralization v4.0

Table of ContentsIntroduction . 6Windows Event Forwarding and Collection . 7Features . 7Architecture . 8Pre-Requisites . 9Central Event Collector . 9Event Source Computers . 9Downloads. 10Implementing Windows Event Forwarding . 11Summary Checklist for the setup of Event Forwarding . 11Configuring the Event Collector(s) . 124.2.1.Install and Deactivating the Avecto Agent . 124.2.2.Configuring Event Collection Services and Windows Firewall . 124.2.3.Configuring Event Subscriptions . 144.2.4.Pre-rendering Events . 174.2.5.Increase the Event Batch Size . 18Configuring the Source Computer(s) . 194.3.1.Installing WinRM on Source Computers . 194.3.2.Configuring the WinRM Service . 194.3.3.Configuring the Event Collector(s) Server Address . 20Event Forwarding Implementation Scenarios . 22Basic Event Collection . 22Scaled-Out Event Collectors . 23Scaled-Out Tiered Event Collection . 24Scaled-Out Tiered Fault Tolerant Event Collection. 25Appendix 1 – Definitions . 26Event Forwarders / Event Sources . 26Event Collector . 26Event Subscriptions . 263Event Centralization v4.0

WinRM – Windows Remote Management . 27Active Directory Group Policy (GPO) . 27Appendix 2 – Optional Configuration . 28Optimizing Event Forwarding . 287.1.1.Forwarder Resource Usage . 287.1.2.Reducing the TCP/IP connection idle time . 287.1.3.Event Log Retention . 28Configuring the Event Collector Service via Group Policy . 30Specifying the Event Collector(s) Server Address Port via Group Policy . 32Configuring WinRM Enhanced Security via Group . 337.4.1.Allow Basic Authentication . 337.4.2.Disallow Digest Authentication . 337.4.3.Allow CredSPP Authentication (Credential Security Support Provider). 337.4.4.Disallow Keberos Authentication. 347.4.5.Disallow Negotiate Authentication. 347.4.6.Allow Unencrypted Traffic . 347.4.7.Trusted Hosts (Client Only) . 347.4.8.Specify channel binding token hardening level (Service Only) . 347.4.9.Disabling Windows Remote Shell . 357.4.10.Client Certificate-Based Authentication . 367.4.11.Restricting WinRM Access . 367.4.12.Event Source Firewall Modifications . 367.4.13.Collector Firewall Modification . 37Raising Actions & Tasks Based on Collected Events . 377.5.1.Advanced Options . 38Appendix 3 – General Information . 40Subscription XML Details . 408.1.1.Subscription Details . 41WS-Management Protocol Settings . 414Event Centralization v4.0

WinRM Client Configuration . 42WinRM Service Configuration . 43WinRM and IIS . 44WinRM Registry Keys and Values . 44Appendix 4 – Troubleshooting . 45Testing Event Forwarding . 45Troubleshooting Log Locations . 46Appendix 5 – Additional Resources . 535Event Centralization v4.0

IntroductionThis document provides guidance on how to centralize Defendpoint events to a central server usingWindows Event Forwarding. Avecto provides an Enterprise Reporting Pack which includes enterpriseclass trend analysis dashboards, allowing organizations to understand and be pro-active about theDefendpoint events raised within their environment.With the Enterprise Reporting Pack, Defendpoint events from all managed endpoints can be centrallycollected to a SQL Server database. The Enterprise Reporting Pack builds on a number of Microsofttechnologies which include Windows Event Forwarding, SQL Server, and SQL Server ReportingServices (SSRS). This approach provides a scalable and secure architecture, which can cope withhigh volumes of events and handle the largest enterprise environments. For more information onAvecto’s Enterprise Reporting Pack visit www.avecto.comEvent Forwarding is provided by Windows Remote Management (WinRM) which is Microsoft’simplementation of a WS-Management Protocol, a SOAP based firewall-friendly protocol, whichprovides a common way for systems to access and exchange management information across an ITinfrastructure.One of the most powerful features of WinRM is the ability to forward events which enable large scalehealth and state status monitoring of Windows environments (also known as Windows Eventing 6.0).Not only is this feature built into the latest versions of Windows (originally shipped with WindowsVista and Windows Server 2008), but it's also freely/readily available for down-level operatingsystems like Windows XP SP2 and Windows Server 2003 SP1 .6Event Centralization v4.0

Windows Event Forwarding and CollectionFeatures1. Standards Based: Leveraging the DMTF WS-Eventing standard which allows it tointeroperate with other WS-Man implementations (see OpenWSMAN at SourceForge).2. Agentless: Event Forwarding and Event Collection are included in the operating system bydefault.3. Down-Level Support: Event Forwarding is freely/readily available for Windows XP SP2 andWindows Server 2003 SP1 .4. Multi-Tier: Forwarding architecture is very scalable where a Source Computer may forward toa large number of collectors and collectors may forward to collectors.5. Scalable: Event Collection is very scalable where the collector can maintain subscriptions witha large number of Source Computers and events per second.6. Group Policy Aware: The entire model is configurable by Group Policy.7. Schematized Events: Windows Events are now schematized and rendered in XML whichenables many scripting and export scenarios.8. Pre-Rendering: Forwarded Windows Events can now be pre-rendered on the SourceComputer negating the need for local applications to render Windows Events.9. Resiliency: Designed to enable mobile scenarios where laptops may be disconnected fromthe Event Collector for extended periods of time without event loss (except when logs wrap) aswell as leveraging TCP for guaranteed delivery.10. Security: Certificate based encryption via Kerberos or HTTPS.7Event Centralization v4.0

ArchitectureThe architectural approach used in this guide utilizes Group Policy to distribute WinRM and eventforwarding configurations to a group of domain computers. Each client will be configured to forwardevents to a central Event Collector.8Event Centralization v4.0

Pre-RequisitesCentral Event CollectorA central Event Collector must be used as a repository for all the events collected from the SourceComputer.Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and Windows Server2012 can be Event Collectors (this feature is not supported for down-level operating systems). Thereare no built-in limitations when client operating systems are used as an Event Collector. However, it isrecommended that Server 2008/R2 or Server 2012 are used as the Event Collector as this will scalemuch better in high volume scenarios.Note: When using Windows Vista or Windows Server 2008 as the Event Collector, it is strongly recommendedthat you upgrade to Windows Remote Management 2.0. This will allow Windows 7 clients to be monitored withoutany additional configuration.Depending on the volume of events, the Event Collector can either be a dedicated or an existing machine. Trueenterprise class Windows Eventing is included with enterprise monitoring solutions like System CenterOperations Manager (SCOM) (Audit Collection Services ACS).Event Source ComputersThe minimum operating system level required on the Source Computer is Windows XP SP2.Events can be centralized onto any of the supported Windows Event Collector operating systemsfrom any supported Windows event source operating systems. Each Source Computer must haveminimum of Windows Remote Management 1.1.The following table shows the default installation for each OS:Operating SystemWindows Remote Management VersionWindows XPNot installedWindows Vista1.1Windows 72.0Windows Server 2003/R2Not installedWindows Server 20081.1Windows Server 2008 R22.0Windows Server 20122.09Event Centralization v4.0

DownloadsOnly Windows XP and Windows Server 2003 require a version of WinRM to be deployed. It isrecommended that Windows Remote Management 2.0 is deployed to these computers.Operating SystemDownloadSizeWindows XPWindows Remote Management 1.11MBWindows XPWindows Remote Management 2.06MBWindows VistaWindows Remote Management 2.034MBWindows Vista (x64)Windows Remote Management 2.034MBWindows Server 2003/R2Windows Remote Management 1.11MBWindows Server 2003/R2Windows Remote Management 2.06MBWindows Server 2003/R2 (x64)Windows Remote Management 2.010MBWindows Server 2008Windows Remote Management 2.032MBWindows Server 2008Windows Remote Management 2.032MBWindows Server 2008 (x64)Windows Remote Management 2.034MBNote: Windows Remote Management 2.0 packages also include Windows Power Shell 2.0.10Event Centralization v4.0

Implementing Windows Event ForwardingSummary Checklist for the setup of Event Forwarding1. Install and disable the Avecto agentIt is recommended that this step is performed before the creation of the subscription, as areboot is required in order for the service to be made available to the subscription.Please refer to the Disable Avecto Client note attached to section 4.2.3 Configuring EventSubscriptions.2. WinRM quickconfigSee section 4.2.1 Configuring Event Collection Services and Windows Firewall.3. Wecutil qcSee section 4.2.1 Configuring Event Collection Services and Windows Firewall.4. Create and name Subscription in Event ViewerName:Avecto EventsDestination:Forwarded Event LogType:Source Initiated subscriptionSource Computers:Domain Computers or other group containing computers in scopeSelect Events:Event Level:Critical, Warning, Error, InformationBy Source:Avecto Privilege Guard Service / Avecto Defendpoint ServiceAdvanced:Minimize LatencySee section 4.2.3 Configuring Event Subscriptions.5. wecutil ss subscriptionname /cf:EventsThis changes the subscription from the default behaviour of RenderedText to Events, whichhas the dual benefit of reducing Source Computer CPU overhead and the event size.See section 4.2.4 Pre-rendering Events6. wecutil ss subscriptionname /ree:TrueThis setting ensures that all desired events in the Application event log on a Source Computerare forwarded to the event collector; the default behaviour is to only forward future (arriving)events from the point the subscription begins and this can result in missing data.See section 4.2.5 Increase the Event Batch Size11Event Centralization v4.0