December 1, 2008

Security Event Log Forwarding on Windows 2008 servers

The use of a centralized log server has often been highlighted in many of today’s security
best practices. The constant need to collect, retain and protect these sensitive security
event log files sometimes overwhelm security and systems administrators, especially
in large corporate environments. When properly configured, security event logs are
used to track user activity and access on specific systems or objects, and is a key
element when tying to piece up the chain of events leading to a security incident.
Many security administrators might know how cumbersome it is to manage such security
event log files, and sometimes seek third party vendors to help them manage their
security log files. The truth is that
many of these problems can be solved using native features of your server operating

a successor to Windows 2003 server, the new windows 2008 server has a security event
log forwarding feature natively installed. Windows
2008 breaks up security event forwarding into parts: the source and the collector.
The source computer or server is the actual machine in which the security logs are
fetched. The collector is the centralized server which collects, consolidates and
protects the sensitive event log files. On Windows 2008 server, both source and collector
need to be configured so that this feature can be used.


configure a security event log forwarding on Windows 2008 server, you should log on
to the source and collector computers using a domain administrator account.


On the Source
computers, you must configure windows remote management by executing the following
at the command prompt:

1.winrm quickconfig

This command
preforms the following changes to the operating system:

  • * Sets
    the WinRM and WinRM Listener services to auto start (which usualy are set to manual)
  • * CreatesFirewall
    exceptions and application associationsfor port 80 and 443with WinRM services.

** Group Policy can be used to automatically configuring and deploy
multiple sources.

Collector Configuration:

On the Collector server, you must configure the Windows Event Log Collector Utility by
executing the following at the command prompt:

1.wecutil qc

This command
willinitialize the Windows Event Log Collector on the server. At this point
the Collector serveris ready to

create subscriptions
to multiple sources.

To configure
security event subscriptions:

2. Open Event Viewer on the Collector computer, right-click Subscriptions in the left pane and select Create Subscription. ** Subscriptions can only be established to properly configured Source computers. 3. Click on select events and choose the event which you want to collect. In our case, choose the security events. 4. Configure the time and frequency options on the collector server. By default, the server will subscribe its logs after an event is written. 5. Configure the destination of these log files (ie: repository) this location should be a WORM (Write Once Read Many) repository. Advanced Configurations: You can configure optimal subscription configurations such as bandwith, protocols and account information. The default values are shown below. *As a security best practice, personal usernames should not be used to configure this service. Administrators should use the computer account or a special service account to perform the subscriptions. * If by any chance subscription service are configured to use any other port other than port 80 and 443,proper firewall configuration will need to be made at each source.

Test Event Forwarding

If all of the Event Forwarding components are functioning a test event created on the

Source Computer should arrive in the Collector’s “Forwarded Events” log within 60 seconds.

To create a test event, type in thefollowing command at the command prompt:

eventcreate /id 100 /t error /l application /d “Event Forwarding Test”

The event should appear on the colletors Forwarded Events as seen below: