Setting Up Security Event Log Subscriptions with Windows Server 2003/2008


Written by Liju Varghese, Senior Microsoft Premier Field Engineer.


This article aims at making it easier to set up a Source-Initiated Subscription with Windows Server 2003/2008 so that events of interest from the Security event log of several domain controllers can be forwarded to an administrative workstation.

For the purpose of this article, we’ve selected the event IDs 5136, 5137 and 566.  These security events to indicate GPO creation, edit or deletion. I’m not going to go into setting up the actual auditing. For that, please refer to this excellent article: Monitoring Group Policy Changes with Windows Auditing.   Events 5136 and 5137 indicate the modification and deletion respectively of active directory objects on a Windows Server 2008 based domain controller. Event ID 566 is the equivalent on a domain controller running Windows Server 2003.

There are several alternatives to setting up event log subscriptions. However, this feature is built into the operating system and does not require the installation of any additional software. There are also several articles on the web about forwarding events from the Application and System event logs. However, forwarding from the Security log involves certain nuances I hope to shed some light on. This should interest any administrator looking to pick up specific events from the myriad of events that otherwise flood the Security event log.

Our Sample Environment

Here’s the sample environment I’ll be referencing throughout the remainder of the article.

Sample Environment

Our designated Event Sources:

clip_image001 RootDC01.Reskit.com (Windows Server 2008 R2 SP1)

clip_image001[1] RootDC02.Reskit.com (Windows Server 2008 R2 SP1)

clip_image001[2] ChildDC01.Corp.Reskit.com (Windows Server 2008 R2 SP1)

clip_image001[3] ChildDC02.Dev.Dom (Windows Server 2008 R2 SP1)

clip_image001[4] 2K3RootDC01.2K3Dom.local (Windows Server 2003 R2 SP2)

Our designated Event Collector:

clip_image001[5] RootMember01.Reskit.com (Windows Server 2008 R2 SP1)

Windows Server 2003 Prerequisites

1.  Install the following updates (if necessary):

clip_image001[6] An update is available for the Windows Remote Management feature in Windows Server 2003 and in Windows XP

clip_image001[7] Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0) -

2.  Ensure the Windows Firewall/Internet Connection Sharing (ICS) service is started and set to Automatic
clip_image003
However, the firewall itself may be turned off
clip_image004

3.  Make the following registry edit:

clip_image001[8] Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

clip_image001[9] Value: CustomSD

clip_image001[10] Type: REG_SZ

clip_image001[11] Old  Data: O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)

clip_image001[12] New Data: O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA))(A;;0x1;;;NS)

clip_image005

4.  From an elevated command prompt run the following command and confirm the changes:
clip_image006

C:\>WinRM QuickConfig

WinRM already is set up to receive requests on this machine.

WinRM is not set up to allow remote access to this machine for management.

The following changes must be made:

Create a WinRM listener on https://* to accept WS-Man requests to any IP on this machine.

Enable the WinRM firewall exception.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on https://* to accept WS-Man requests to any IP on this machine.

WinRM firewall exception enabled.

5.  Confirm the Windows Remote Management listener is configured for port 5985:

C:\>WinRM e winrm/config/listener

Listener

Address = *

Transport = HTTP

Port = 5985

Hostname

Enabled = true

URLPrefix = wsman

CertificateThumbprint

ListeningOn = 127.0.0.1, 192.168.1.1, ::1, fe80::100:7f:fffe%14, fe80::5efe:192.168.1.1%12, fe80::88f7:5cef:3a9c:8f78%11

Winrm 1.1 and earlier use default HTTP port 80 and default HTTPS port 443 and these ports are commonly used by IIS. Winrm 2.x use default HTTP port 5985 and default HTTPS port 5986. If you already have a listener but you want to change the port, run this command:

Winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="5985"}

Windows Server 2008 R2 SP1 Prerequisites

1. Add the Network Service to the members of the Event Log Readers domain local group
clip_image007
2. From an elevated command prompt run the following command and confirm the changes:
clip_image006[1]

C:\>WinRM QuickConfig

WinRM already is set up to receive requests on this machine.

WinRM is not set up to allow remote access to this machine for management.

The following changes must be made:

Create a WinRM listener on https://* to accept WS-Man requests to any IP on this machine.

Enable the WinRM firewall exception.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on https://* to accept WS-Man requests to any IP on this machine.

WinRM firewall exception enabled.

3. Confirm the Windows Remote Management listener is configured for port 5985

C:\>WinRM e winrm/config/listener

Listener

Address = *

Transport = HTTP

Port = 5985

Hostname

Enabled = true

URLPrefix = wsman

CertificateThumbprint

ListeningOn = 127.0.0.1, 192.168.1.1, ::1, fe80::100:7f:fffe%14, fe80::5efe:192.168.1.1%12, fe80::88f7:5cef:3a9c:8f78%11

Winrm 1.1 and earlier use default HTTP port 80 and default HTTPS port 443 and these ports are commonly used by IIS. Winrm 2.x use default HTTP port 5985 and default HTTPS port 5986. If you already have a listener but you want to change the port run this command:

Winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="5985"}

4. On the Event Log Collector alone configure the Windows Event Collector service. From an elevated command prompt run the following command and confirm the changes:

C:\>WECUtil qc

The service startup mode will be changed to Delay-Start. Would you like to proceed ( Y- yes or N- no)?y

Windows Event Collector service was configured successfully.

Configuring the Event Log Sources

The following steps should be performed in each of the domains where you have identified domain controllers to collect events from:

1.  Create a new GPO named Event Forwarding Subscription and link it to the Domain Controllers Organizational Unit:

clip_image008

clip_image009

clip_image010

2. Edit the GPO and browse to Computer Configuration | Policies | Administrative Templates | Windows Components | Event Forwarding - Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager
clip_image011
3. Enable the setting, click Show and set the value to the FQDN of the Event Log Collector using the syntax shown below:
clip_image012

4. Next browse to Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Remote Management (WinRM) | WinRM Service - Allow automatic configuration of listeners
clip_image013
5. Enable the setting and set both the IPv4 filter and the IPv6 filter to *
clip_image014
6. Verify the changes have been applied using the Settings tab for the GPO
clip_image015

7. Force active directory replication using the command below and specifying the PDCe of the domain where you edited the GPO:

C:\>Repadmin /Syncall "ROOTDC01" /A /e /Q

Syncing all NC's held on ROOTDC01.

Syncing partition: DC=ForestDnsZones,DC=Reskit,DC=com

Syncing partition: DC=DomainDnsZones,DC=Reskit,DC=com

Syncing partition: CN=Schema,CN=Configuration,DC=Reskit,DC=com

Syncing partition: CN=Configuration,DC=Reskit,DC=com

Syncing partition: DC=Reskit,DC=com

Syncing partition: DC=Dev,DC=Dom

Syncing partition: DC=Corp,DC=Reskit,DC=com

8. Run the following command to force a refresh of group policy on each of the domain controllers in the domain:

C:\>gpupdate /force

Updating Policy...

User Policy update has completed successfully.

Computer Policy update has completed successfully.

9. Reboot each of the domain controllers when possible, and not all at the same time

10. Verify that the Windows Remote Management (WS-Management) service is started on each of the Event Log Sources using the command below (It could take a few minutes after the reboot for the service to start)

C:\>sc \\RootDC01 query WinRM

SERVICE_NAME: WinRM

TYPE               : 20  WIN32_SHARE_PROCESS

STATE              : 4  RUNNING

(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE    : 0  (0x0)

SERVICE_EXIT_CODE  : 0  (0x0)

CHECKPOINT         : 0x0

WAIT_HINT          : 0x0

Configuring the Event Log Collector

Use the following screenshots to create an Event Log Subscription

clip_image016

clip_image017

clip_image018

clip_image019

clip_image020

clip_image021

clip_image022

clip_image023

2. Run the following command to view the properties of the Subscription:

C:\>WECUtil GS GPO_Auditing_SI

Subscription Id: GPO_Auditing_SI

SubscriptionType: SourceInitiated

Description: Source-initiated event forwarding subscription for 5136, 5137 and 566 Security events to indicate GPO creation, edit or deletion

Enabled: true

Uri: https://schemas.microsoft.com/wbem/wsman/1/windows/EventLog

ConfigurationMode: MinLatency

DeliveryMode: Push

DeliveryMaxLatencyTime: 30000

HeartbeatInterval: 3600000

Query: <QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=566 or EventID=5136 or EventID=5137)]]</Select></Query></QueryList>

ReadExistingEvents: false

TransportName: HTTP

ContentFormat: RenderedText

Locale: en-US

LogFile: ForwardedEvents

PublisherName: Microsoft-Windows-EventCollector

AllowedIssuerCAList:

AllowedSubjectList:

DeniedSubjectList:

AllowedSourceDomainComputers: O:NSG:BAD:P(A;;GA;;;S-1-5-21-3502308048-3540793799-815047079-1000)(A;;GA;;;S-1-5-21-3502308048-3540793799-815047079-1103)(A;;GA;;;S-1-5-21-853228874-1112729953-1234218680-1000)(A;;GA;;;S-1-5-21-1153497287-3566825660-1387263468-1000)S:

EventSource[0]:

Address: ChildDC01.Corp.Reskit.com

Enabled: true

EventSource[1]:

Address: RootDC01.Reskit.com

Enabled: true

3. Run the following command to make changes to the Event Delivery Optimization and to Read Existing Events

C:\>WECUtil SS GPO_Auditing_SI /cm:Custom /dmi:20 /hi:3600000 /dmlt:30000 /ree:true

4. Verify that the changes have taken effect by running the previous command again

C:\>WECUtil GS GPO_Auditing_SI

Subscription Id: GPO_Auditing_SI

SubscriptionType: SourceInitiated

Description: Source-initiated event forwarding subscription for 5136, 5137 and 566 Security events to indicate GPO creation, edit or deletion

Enabled: true

Uri: https://schemas.microsoft.com/wbem/wsman/1/windows/EventLog

ConfigurationMode: Custom

DeliveryMode: Push

DeliveryMaxItems: 20

DeliveryMaxLatencyTime: 30000

HeartbeatInterval: 3600000

Query: <QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=566 or EventID=5136 or EventID=5137)]]</Select></Query></QueryList>

ReadExistingEvents: true

TransportName: HTTP

ContentFormat: RenderedText

Locale: en-US

LogFile: ForwardedEvents

PublisherName: Microsoft-Windows-EventCollector

AllowedIssuerCAList:

AllowedSubjectList:

DeniedSubjectList:

AllowedSourceDomainComputers: O:NSG:BAD:P(A;;GA;;;S-1-5-21-3502308048-3540793799-815047079-1000)(A;;GA;;;S-1-5-21-3502308048-3540793799-815047079-1103)(A;;GA;;;S-1-5-21-853228874-1112729953-1234218680-1000)(A;;GA;;;S-1-5-21-1153497287-3566825660-1387263468-1000)S:

EventSource[0]:

Address: ChildDC01.Corp.Reskit.com

Enabled: true

EventSource[1]:

Address: RootDC01.Reskit.com

Enabled: true

5. Reboot the Event Log Collector

6. Verify that the Windows Remote Management (WS-Management) and Windows Event Collector services are started. (It could take a few minutes after the reboot for the service to start):

C:\>sc \\RootMember01 query Wecsvc

SERVICE_NAME: Wecsvc

TYPE               : 20  WIN32_SHARE_PROCESS

STATE              : 4  RUNNING

(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE    : 0  (0x0)

SERVICE_EXIT_CODE  : 0  (0x0)

CHECKPOINT         : 0x0

WAIT_HINT          : 0x0

C:\>sc \\RootMember01 query WinRM

SERVICE_NAME: WinRM

TYPE               : 20  WIN32_SHARE_PROCESS

STATE              : 4  RUNNING

(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE    : 0  (0x0)

SERVICE_EXIT_CODE  : 0  (0x0)

CHECKPOINT         : 0x0

WAIT_HINT          : 0x0

7.  Wait a few hours (no kidding!)

8. Retry the Subscription:
clip_image024

9.  View the Runtime Status
clip_image025

10. View the contents of the Forwarded Events log
clip_image026

Potential Issues and Solutions

The Computer Groups window has trouble deciphering FQDNs

clip_image027

clip_image028

clip_image029

But using the shortname works:

clip_image030

clip_image031


2k3RootDC01.2k3Dom.local

Code (0x57)

Windows Event Forward Plugin failed to create subscription

Solution: Install KB968930


RootDC01.Reskit.com

Code (0x138C)

Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them

Solution:

clip_image001[13] Adding the “Network Service” and the machine account of the collector to the “Event Log Users” domain local group, and

clip_image001[14] Assigning the “Manage auditing and security log" user right to the “Network Service” and the machine account of the collector on the sources


The Forwarded Event Log contains one or more of the following events:

Source:        Microsoft-Windows-EventForwarder

Date:          10/19/2011 2:33:51 PM

Event ID:      111

Task Category: None

Level:         Information

Keywords:      None

User:          N/A

Computer:      RootDC01.Reskit.com

Description:

The description for Event ID 111 from source Microsoft-Windows-EventForwarder cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Solution: This is just the initial bookmark event that Event forwarding plugin uses to mark the beginning of a subscription; it can be ignored.


That’s it!  Hope this helped.  Please let me know if you have any questions or suggestions.