Event Forwarding of Security Logs

By SuperG - Last updated: Tuesday, April 3, 2012 - Save & Share - One Comment

This is a long one, sorry but there is a lot in information here.

So recently, where I work, we decided to collect a lot of the security events from all of our domain controllers. We are going to use the built-in “Windows Event Collector” service to do this. I am assuming you already have WinRM installed and working (WinRM qc)

From Server Manager expand Diagnostics > Event Viewer Then click on Subscriptions

This will start the prompt you to Subscription, click yes.

Clicking yes will make the “Windows Event Collector” service start Automatic (Delay Start)

You can now create a new Subscription by clicking the “Create Subscription…” in the action pane.

On the Subscription Properties windows fill out the information. In this case we are collecting the DC – Events. Select “Source computer initiated” for Subscription type.

Next in “Select Computer Group…” add the group that contains all the servers you want to collect events from.

In “Select Events…” add filter information to get just the events you want. In my case I want from the security log and only selected Event IDs

Next in the Advanced button Select Minimize Latency and HTTP. We will be changing this later to a custom config.

Now I want to change a few settings because I want to get events as soon as they happen. So I am going to set the “DeliveryMaxItems” to 1, you could also set “DeliveryMaxLatencyTime” if you wish but since you are only allowing one item each connection it will not wait for the timeout to deliver.

From an Admin Command Prompt:

wecutil ss “DC – Events” /cm:Custom /dmi:1

You can then use: wecutil gs “DC – Events” to see the change

Next we will have the source computers send the events as raw events vice “Rendered” events. This will remove some of the CPU usage from the source computer. We will do this by setting “ContentFormat”

This command could be combined with the above.

wecutil ss “DC – Events” /cf:Events

Now that I have the subscription setup I amd going to make a GPO to setup the Domain Controllers to receive the Subscription. Start Group Policy Management and create a new GPO linked to the OU that has the computers you are collecting the Events from… in my case it’s the Domain Controllers OU. In this GPO we need to set things in the “Event Forwarding”, WinRM Client” and WinRM Service”.

Event Forwarding:

“Configure the Configure the server address” Enable and add the collection server to the list.

Server=http://<Event Collectors FQDN>:5985/wsman/SubscriptionManager/WEC

WinRM Client:

“Trusted Hosts”

If you enable this policy setting, the WinRM client uses the list to determine if the destination Event Collector is a trusted entity.

WinRM Service:

“Allow automatic configuration of listeners”

Enter * for both

In order for the “Network Service” account to be able to access the Security log it needs to be in the “Event Log Readers” group.

I also added the “Domain Controllers” group (not sure if you need to do this but I was having a hard time getting this to work, see below for other errors I fixed )

You now MUST reboot each DC as the “Network Service” needs to update its group membership.

If all is well you should start seeing events in the “Forwarded Events”

And you should see all your DCs listed in Runtime Status. (this may take a few minuets to populate)

While setting this up I ran across a lot of errors and problems below is some of the errors and how I think I fixed them. Altogether I spent about 3 days setting up and troubleshooting this. I hope yours goes smother than mine!


Windows Remote Management 10128

This command will show ACLs in the HTTP:

Netsh http show urlacl

After running this command you can see that http://+80/wsman is not listed

You can run run this to add if you wish and it will remove this error:

Netsh http add urlacl url=http://+80/wsman user=”Network Service”

You can do this for the the https one also

Netsh http add urlacl url=https://+443/wsman user=”Network Service”


Windows Remote Management 10154

This one is because the Network Service does not have access to verify that the SPN is there.

This can be fixed by running:

dsacls “CN=AdminSDHolder,CN=System,DC=yourdomainname,DC=tld” /G “S-1-5-20:WS;Validated write to service principal name”

Example if you were microsoft

dsacls “CN=AdminSDHolder,CN=System,DC=microsoft,DC=com” /G “S-1-5-20:WS;Validated write to service principal name”

Reboot seems to be required…


Eventlog-ForwardingPlugin 105

(this one sucked)

This one was caused by a system level proxy setting. Removing this setting fixed the error.

Use this command to see if there is a system level proxy

Netsh winhttp show proxy

Use this command to remove the system level proxy

Netsh winhttp reset proxy

The above also caused the error below when trying to test connectivity with the collector.

The WinRM client cannot process the request because the server name cannot be resolved.

After removing the system proxy this error also went away and I was able to connect to the collector using the command line


Eventlog-ForwardingPlugin 102

(this one sucked too REBOOT!!!!)

Error code is 5004

This one seems to have been caused by “Network Service” not having permissions to the security log.

Add “Network Service” to “Event Log Readers” group. I also added the “Domain Controllers” group as I am pulling the sec logs from them (not sure if you need to do this.)

This one requires a reboot, as group membership is set at logon and “Network Service” logs on at start up.


Windows Remote Management 129

(still happens but does not seem to effect anything)

This one seems to not be a “real” error as it does not effect anything. This collection server is sending back a http 204 code. This seems to be normal behavior.


RPC server is unavailable when running wecutil

For me at lest this is because the “Windows Event Collector” service was not running after starting the service this command runs fine.


You can try this to get current logs:
WECUtil SS /cm:Custom /ree:true
REE is ReadExistingEvents
A value that specifies which events are to be delivered for the subscription. VALUE can be true or false. When VALUE is true, all existing events are read from the subscription event sources. When VALUE is false, only future (arriving) events are delivered. The default is true when /ree is specified without a value, and the default is false if /ree is not specified.

I have found that this really needs to be set BEFORE any computers subscribe, if it is set AFTER then the computer does not send the old logs.

Posted in Active Directory, Events • Tags: Top Of Page

One Response to “Event Forwarding of Security Logs”

Pingback from [ASK] server – windows event log forwarding permission | Some Piece of Information
Time April 10, 2016 at 5:11 am

[…] I flowed the steps described here: http://zenshaze.com/wp/?p=57 […]

Write a comment

You need to login to post comments!