Set Up a Windows Event Collector

Use this workflow for Broker VM version 7.4.5 and earlier. For later Broker VM versions follow the process detailed in Activate the Windows Event Collector.
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Domain Controllers (DCs). To enable collection of the event logs, you need to configure them as Windows Event Forwarders (WEFs), and establish trust between them and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates.
The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites:
  • Cortex XDR Pro per TB license
  • You have knowledge of Windows Active Directory and Domain Controllers.
  • You have
    openssl
    installed on a secure Linux or macOS host.
  • Broker VM supports a working DNS name resolution and valid DNS domain zone records.
  • DCs are running on Windows Server 2012 or later.
  1. Generate CA and WEC certificates.
    1. On your secure Linux/macOS host, download the scripts and save each of the following files to the same directory:
      • generate_certs.sh
      • openssl.conf
      • v3.ext
      The CA, WEC, and WEF private keys are generated on this host. Ensure you are working on a secure host and store the CA private key securely with password protection, so you are able to generate WEF certificates for any DC you would want to turn into a WEF in the future.
    2. Set execution permission on
      generate_certs.sh
      file by running:
      $ chmod +x generate_certs.sh
    3. Run the script, providing the broker VM CN, as registered in the DNS, on which the WEC will be activated. You will be prompted for a password to protect the PFX file.
      If you are running the script for the first time, use the
      --create-ca
      flag to also generate the CA certificate.
      $ ./generate_certs.sh --create-ca --cn broker.etac-tlv.local Creating the CA It is recommended to protect the CA certificate/key pair from overriding/deleting it unintentionally. Set readOnly permissions? [y/n] y Creating the cert Packing all to a PFX Enter Export Password: Verifying - Enter Export Password: Done exporting to /Users/test/Projects/WEC/out: PFX: broker.etac-tlv.local.pfx (SHA1 Fingerprint=6A1DF3BE9C9875C1DC3167DE1805F6FBCC1D3861) CA: ca.cert (SHA1 Fingerprint=D9DFCC987F21839A65682DF527193F78296FBBA2) $
      After completing, the script prints the location of the output files along with their SHA1 hashes:
      • PFX file containing the WEC key pair and the signing CA certificate.
      • The CA certificate file in PEM format.
  2. Activate WEC on the Cortex XDR Broker VM.
    1. In Cortex XDR app, navigate to
      gear.png
      Settings
      Broker VMs
      .
    2. Locate the broker VM on which you want to activate WEC, right-click and select
      Activate Windows Event Collector
      .
      activate-wec-applet.png
    3. In the
      Activate Windows Event Collector
      window,
      Browse
      to the WEC certificate PFX file you generated.
      activate-wec-applet-password.png
      The PFX file contains the certificate and key pair of the WEC along with its certificate chain. Normally the same CA will sign both the WEC and the DCs' certificates. If this is not the case - upload the CA file which will be used to validate the DCs' client certificate in the
      CA BUNDLE
      field.
    4. On successful activation, copy the displayed subscription URL.
      wec-url.png
  3. Generate the WEF certificate.
    1. In your secure Linux/macOS host, run the script using the copied subscription URL:
      $ ./generate_certs.sh --cn ETAC-DC-2016.etac-tlv.local Not creating a new CA cert/key pair. Existing ones will be used Creating the cert Packing all to a PFX Enter Export Password: Verifying - Enter Export Password: Done exporting to /Users/test/Projects/WEC/out: PFX: ETAC-DC-2016.etac-tlv.local.pfx (SHA1 Fingerprint=BFD922E214DB6A0F5C3A176118FA76C82895A8DF) CA: ca.cert (SHA1 Fingerprint=D9DFCC987F21839A65682DF527193F78296FBBA2) $
    2. Repeat this step for each DC you want to configure as a WEF.
  4. Install WEF Certificate on the DC.
    1. Copy the PFX file you created to your DC, double-click the file and import it to
      Local Machine
      .
    2. Run
      certlm.msc
      .
    3. Navigate to
      Certificates
      Personal
      and verify the following:
      • In the
        Personal > Certificates
        folder, ensure the certificate has been imported.
      • In the
        Trusted Root Certification Authorities
        folder, ensure the CA was added.
      wef-dc-ca-certificate.png
    4. Navigate to
      Certificates
      Personal
      Certificates
      .
    5. Right-click the certificate and navigate to
      All tasks
      Manage Private Keys
      .
    6. In the
      Permissions
      window, select
      Add
      and in the
      Enter the object name
      section, enter
      NETWORK SERVICE
      followed by
      OK
      .
      certificate-permission.png
      Verify the
      Group or user names
      appear.
      verify-permissions.png
  5. Add the Network Service account to the DC Event Log Readers group.
    1. To enable DCs to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the DC:
      C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add
  6. Create a WEF Group Policy which applies to every DC you want to configure as a WEF.
    1. Open
      gpmc.msc
      .
    2. Create a new Group Policy and name it
      Windows Event Forwarding
      .
    3. In the
      Group Policy Management
      window, navigate to
      Domains
      <your domain name>
      Windows Event Forwarding
      , right-click and select
      Edit
      .
      group-policy-management.png
    4. In the
      Group Policy Management Editor
      :
      • Set the WinRM service for automatic startup.
        • Navigate to
          Computer Configuration
          Policies
          Windows Settings
          Security Settings
          System Services
          , and double-click
          Windows Remote Management
          .
        • Mark
          Define this policy setting
          and select
          Automatic
          .
      • Enable collection of Broker VM supported Kerberos events; Kerberos pre-authentication, authentication, request, and renewal tickets.
        • Navigate to
          Computer Configuration
          Policies
          Advanced Audit Policy Configuration
          Audit Policy
          Account Logon
          .
        • Configure
          Audit Kerberos Authentication Service
          and
          Audit Kerberos Service Ticket Operations
          to
          Success and Failure
          .
    5. Configure the subscription manager.
      Navigate to
      Computer Configuration
      Policies
      Administrative Templates
      Windows Components
      Event Forwarding
      , and double-click
      Configure target Subscription Manager
      .
      target-subscription-manager.png
      In the
      Configure target Subscription Manager
      window, and select
      Show
    6. Add Network Service to Event Log Readers group.
      Navigate to
      Computer Configuration
      Preferences
      Control Panel Settings
      Local Users and Groups
      , right-click and select
      New Local Group
      .
      event-log-readers.png
      In the
      Event Log Readers (built-in) Properties
      window:
      • In
        Group name
        field, select
        Event Log Readers (built-in)
        .
      • In
        Members
        section,
        Add
        and enter in the
        Name
        filed
        Network Service
        .
        You must type the name, it cannot select the name from the browse button.
      • Ok
        .
    7. Configure the Windows Firewall.
      If Windows Firewall is enabled on your DCs, you will have to define an outbound rule to enable the WEF to reach port 5986 on the WEC.
      Navigate to
      Computer Configuration
      Policies
      Windows Settings
      Security Settings
      Windows Firewall with Advanced Security
      Outbound Rules
      , right-click and select
      New Rule
      .
      Configure the following:
      • Type
        -
        Port
      • TCP
        -
        Port 5986
      • Allow the connection
      • Mark
        Domain
        , disable
        Private
        and
        Public
      • Name the rule
        Windows Event Forwarding
      • Finish
  7. Apply the WEF Group Policy.
    Link the policy to the DC OU or the group of DCs you would like to configure as WEFs.
    1. Navigate to
      Group Policy Management
      <your domain name
      Domain Controllers
      , right-click and select
      Link an existing GPO...
      .
    2. Select the WEF Group Policy you created,
      Windows Event Forwarding
      .
      windows-event-forwarding.png
    3. In an administrative PowerShell console, execute the following command:
      PS C:\Users\Administrator> gpupdate /force PS C:\Users\Administrator> Restart-Service WinRM
  8. Verify Windows Event Forwarding.
    1. In an administrative PowerShell console, run the following command:
      PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents10
    2. Look for
      WSMan operation EventDelivery completed successfully
      messages. These indicate events forwarded successfully.

Recommended For You