Microsoft Windows Event Logs

​

Getting Started

Wirespeed supports ingesting Windows logs & telemetry using the free (no additional license required), agentless (no third party agent required) architecture provided by Microsoft, which uses the following 3 architectural components:

1. WEF (Windows Event Forwarding) on endpoints with logs you want
2. WEC (Windows Event Collection) on a single server
3. Wirespeed-Forwarder.ps1 on the WEC server

WEF (many hosts) push → WEC (a single server) push → Wirespeed

​

WEF (Windows Event Forwarding)

WEF is Microsoft’s native (no agent required) method for collecting Windows logs and telemetry to send to a centralized location. Typically this is from on-premises or private cloud Windows servers, but this could include high value Windows endpoints as well. We call these systems source systems in the context of this documentation.

​

WEC (Windows Event Collection)

WEC is Microsoft’s native (no agent required) method for centrally collecting logs from source systems. In a simple architecture, there will be a single WEC Server within an on-premises or private cloud environment that will serve as the WEC Server. This should not be a Domain Controller (those are WEF source systems instead).

​

Wirespeed Forwarder

In the Microsoft provided WEF/WEC architecture, you still need a mechanism to push the collected events to a data lake, such as Wirespeed’s. We provide an open source powershell script (Wirespeed-Forwarder.ps1) to harvest the centrally collected events from your WEC server and send them to us.

​

Configuring Windows Source Systems to use WEF

There are several options for deploying WEF + WEC. Our recommendation uses Group Policy to instruct Windows hosts to push telemetry to the WEC server, rather than pull. You’re welcome to use the pull method, but that’s not in this documentation.

1. Open Group Policy Management
   1. On a domain controller or admin workstation, run gpmc.msc.
2. Create a new GPO (Group Policy Object)
   1. Right-click the OU where your servers reside (e.g., Servers OU) → Create a GPO in this domain, and Link it here.
   2. Name: Windows Event Forwarding.
   3. Right-click the GPO > Edit.
3. Enable WinRM Service (Without Remote Management)
   1. Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
      1. Set Windows Remote Management (WS-Management) to Automatic.
      2. **[OPTIONAL] **Wirespeed recommends you block incoming WinRM network traffic on any Windows endpoints where it is not needed, as this enables an avenue for lateral movement by attackers. That said, the WEC Server must have this enabled, so if you do make this change, separate your WEC server into a different OU where this Group Policy setting does not affect it.
         1. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
         2. Set to Disabled
4. Define the WEC Server Address
   1. Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding.
   2. Enable the setting and put the following into the Option field: Server=http://WEC-Server01.domain.local:5985/wsman/SubscriptionManager/WEC,Refresh=60
   3. Replace WEC-Server01.domain.local with your WEC server’s FQDN. Port 5985 is the standard for WinRM over HTTP. Port 5986 is standard for WinRM over HTTPS, but this requires a proper internally-deployed TLS Certificate Authority in your Active Directory environment so that all endpoints can trust the HTTPS certificates. Without a proper PKI, leave this as 5985 over HTTP.
5. Enable PowerShell Logging and Transcription
   1. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
   2. Enable Turn on PowerShell Script Block Logging
      1. Check Log script block invocation start/stop events (4105/4106)
   3. Enable Turn on Module Logging
      1. Set Module Names to *
   4. Enable Turn on PowerShell Transcription
      1. Transcription Output Directory: Leave blank (defaults to %UserProfile%\Documents\PowerShell_transcripts)
      2. Check Include invocation headers.
   5. Enable Turn on PowerShell Remoting Transcription (if available)
      1. Transcription Output Directory: Leave blank (defaults to %UserProfile%\Documents\PowerShell_transcripts)
      2. Check Include invocation headers.
6. Define Minimum Logging
   1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking
      1. Enable Audit Process Creation
         1. Set to Success (Event ID 4688 for PowerShell invocation)
   2. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff
      1. Enable Audit Logoff
         1. Set to Success (Event ID 4634 for session termination)
   3. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
      1. Audit Logon: Enable Success and Failure to cover local, interactive, and remote logon types (e.g., RDP, network).
      2. Audit Account Lockout: Enable Success and Failure
      3. Audit Special Logon: Enable Success (privileged logons, e.g., admin rights)
      4. Audit User Account Management: Enable Success and Failure (user creation, changes)
      5. Audit Security Group Management: Enable Success and Failure (group creation, changes)
      6. Audit Audit Policy Change: Enable Success and Failure (audit policy modifications)
      7. Audit Security System Extension: Enable Success and Failure (log settings changes)
      8. Privilege Use: [Recommendation] Disabled or Failure only (Event IDs 4673, 4674)
      9. Process Creation: [Recommendation] Enabled Success (Step 6, Event ID 4688)
      10. **File and Registry Access (Object Access): [**Recommendation] Disabled or Failure only (Event IDs 4656, 4663)
          1. [Optional] If needed, enable selectively via SACLs on specific objects (out of scope)

​

Configuring the WEC Server

1. Identify a server (should match the server identified and set in group policy above), which must run a supported Windows Server release (Server 2016 or newer).
   1. NOTE: If you follow our recommendations above to disable WinRM incoming traffic on the monitored Windows hosts, make sure that setting does NOT apply to the WEC server, or WEC will not work.
2. Download Wirespeed-Forwarder.ps1 from Wirespeed’s Github: https://github.com/WirespeedSecurity/utils/
3. Paste the following into an interactive powershell terminal running as an administrator on the WEC Server: ./Wirespeed-Forwarder.ps1 -install https://[wirespeed-url] replacing [wirespeed-url] with the URL we provide you. The Wirespeed-Forwarder.ps1 script will then:
   1. Install a configured copy of the Wirespeed-Forwarder.ps1 script into the C:\Program Files\Wirespeed directory
   2. Configure the WEC service to run correctly on this server, including enabling the WinRm dependency service, if not enabled, and opening the WinRM over HTTP (5985) and WinRM over HTTPS (5986) ports. See the note above the security concerns of enabling WinRM.
   3. Configure your WEC server to use WEF to forward its own Windows events to itself so that the WEC server itself can be monitored
   4. Configure the WEC subscription to collect Windows System, Application, Security, and PowerShell logs, so you don’t have to define it manually
   5. Simulate local events (creation and deletion of a test user account) for debug and validation reasons
   6. Establish a Scheduled Task called Wirespeed-Forwarder that will run in the LOCAL SYSTEM security context, executing the Wirespeed-Forwarder.ps1 script on regular intervals.
4. To validate the configuration is working, navigate to C:\Program Files\Wirespeed and paste the following into an interactive powershell terminal running as an administrator on the WEC Server: ./Wirespeed-Forwarder.ps1 -Debug
   1. This will simulate activity by creating and deleting a temporary user account locally on the WEC server.
   2. This will also invoke a benign powershell script to test powershell logging.
   3. If no events in the WEC Forwarded Events collection, you can optionally send the last 10 Security log events to test connectivity.
5. Once installed, the Scheduled Task will run every minute to collect batches of new events and forward them to the URL provided.
   1. Note: The Wirespeed-Forwarder.ps1 script will attempt to send errors it encounters to Wirespeed, but this is not foolproof. The script will also use a rotating flat file log of its actions and results in C:\Program Files\Wirespeed\wirespeed-forwarder.log on the WEC server.