Professional Documents
Culture Documents
B5390
B5390
presents
Windows™ Event Forwarding
(WEF) into HP/ArcSight™ at Scale
Rin Ure
Sr. Security Analyst/Architect
Windows & Devices Group
Security Monitoring Analytics Response Team
(WDGSMART)
Client Servers GPO s WEC Servers
- WinRM Config
- WEC Targets
- Host Firewall Port 5985
WEF configured via GPO
- NT Service Account
added to Event Log
to “PUSH” events from
Readers Group
CLIENT to WEC SERVER.
Bidirectional
Communication
between Client and
Client Server Port 5985 WinRM Communication
Established
Port 5985 WEC Server
WEC Server
ArcSight Connectors
collect Windows Events
Use ArcSight Connector
Forwards Events
from WEC Server
to collect WEF events
And Deliver those
Bidirectional events to ArcSight ESM,
Client Server WEC Server ArcSight ESM Cosmos – Big Data Solution
Communication ArcSight Loggers, and
ArcSight Connectors Cosmos ArcSight
Loggers
Client
GPO s Applied:
- WinRM
WEF Event flow
End-to-End
- WEC Targets
- WEC Host Firewall
GPO’s Applied to
WEC Servers
Client Servers
- WinRM Configured and Started via GPO
- WEC Targets assigned through GPO
Communicate with
WEC Target
Start
Communication
- WinRM Configured and Started via GPO
- WEC Subscriptions configured and
Clients and WEC
WECSVC Started
- Host Firewall Allow inbound and outbound traffic over PORT 5985 by GPO - Domain Joined Servers assigned to
Subscription Servers
Clients
Continue
Communcation to
Client
WEC Server Communicates with
Client through WinRM over port
5985
Yes
Is Client
Assigned to me? Configured within
WEC
WEC Server
instructs Client
what events to
No WEC Server
GPO s Applied: Subscriptions
(Load Balanced)
forward
- WinRM
- WEC Targets
- WEC Host Firewall
Decline Client
Request
Configuration Steps
6. Click OK.
Click “OK”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\
Subscriptions
Subscription Example in XML Format
Display WEC Subscription in XML Format:
{gs | get-subscription} <Subid> [/f:<Format>] [/uni:<Unicode>] Displays remote subscription configuration information. <Subid> is a string that uniquely identifies a subscription. <Subid> is the same as the string that was specified in the
<SubscriptionId> tag of the XML configuration file, which was used to create the subscription.
Link http://technet.microsoft.com/en-us/library/cc753183.aspx
<SUBSCRIPTION_NAME>.XML
You will have to deploy WinRM to servers running 2003. You can do this through software distribution or manually. Windows server 2003 can accept either WinRM version (1.1) or (2.0) with (2.0)
being the optimal choice.
There is group policy for backward compatibility with (1.1). This will allow the Event Collector to open Firewall Port 80 and 443 for event forwarding. This is the default port setting. In order for (1.1) to
communicate to (2.0) these ports must be changed to the ports being used by (2.0). Ports 5985, 5986 will still be the default on an Event Collector running WinRM (2.0).
Set the folder path for “FwdArcSecurity” log to the SAME folder path as the
“Forwarded Events” Log:
• D:\Winevt\Logs\ForwardedEvents.evtx
This allows the ArcSight WUC to connect to the “FwdArcSecurity” Log and pull
the events as though it was connected to the “Forwarded Events” Log.
Some things to consider, continued…
Configure WinRM Service with GP
• Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Remote Management/WinRM Service
• Edit Policy {./Allow automatic configuration of listeners}
• Set to enable
• Specify IPv4 and IPv6 filter
• We can use (*) in the filters as long it is used in a trusted network.
• Edit Policy {./Turn on Compatiblitly HTTP Listener}
• Set to enable
• Edit Policy {./Turn on Compatiblitly HTTPS Listener}
• Set to enable
Minimize Bandwidth This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver
events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours.
Minimize Latency This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30
seconds.
Pre-rendering Events
• If the Source Computer is generating a large volume of forwarded events (e.g. Security events from a Domain Controller) then it is recommended that event
rendering is disabled on the Event Collector. The task of pre-rendering an event on the source computer can be CPU intensive for a large number of events.
• On the Event Collector open a command prompt.
• Type wecutil ss <name of subscription> /cf:events
• This will change the ContentFormat to Events from RenderedText.
Some things to consider, continued…
WinRM Configuration Settings for Windows Event Collector (WEC) Server
winrm set winrm/config @{MaxEnvelopeSizekb="500"}
winrm set winrm/config @{MaxTimeoutms="60000"}
winrm set winrm/config @{MaxBatchItems="32000"}
winrm set winrm/config/client @{NetworkDelayms="5000"}
winrm set winrm/config/client/defaultports @{HTTP="5985"}
winrm set winrm/config/client/defaultports @{HTTPS="5986"}
winrm set winrm/config/service @{MaxConcurrentOperations="4294967295"}
winrm set winrm/config/service @{MaxConcurrentOperationsPerUser="1500"}
winrm set winrm/config/service @{MaxConnections="500"}
winrm set winrm/config/service @{MaxPacketRetrievalTimeSeconds="120"}
winrm set winrm/config/service @{AllowUnencrypted="false"}
winrm set winrm/config/service/defaultports @{HTTP="5985"}
winrm set winrm/config/service/defaultports @{HTTPS="5986"}
winrm set winrm/config/winrs @{AllowRemoteShellAccess="true"}
winrm set winrm/config/winrs @{IdleTimeout="7200000"}
winrm set winrm/config/winrs @{MaxConcurrentUsers="10"}
winrm set winrm/config/winrs @{MaxShellRunTime="2147483647"}
winrm set winrm/config/winrs @{MaxProcessesPerShell="25"}
winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}
winrm set winrm/config/winrs @{MaxShellsPerUser="30"}
Some things to consider, continued…
When using WEF/WEC to collect Windows Events in a VOLATILE if (($totalcount % 1000) -eq 0)
environment, something to consider… {
You may want to PURGE old/stale client registry entries to allow them refresh and start forwarding in their
events again. Write-Host (" Still processing...$totalcount")
}
# Script for Pruning WEC Hosts from Registry if($lastheartbeat -lt $milliseconds_to_compare)
$reg_root =
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptio {
ns"
$sourcecount++
$init_date = Get-Date "1/1/1601"
$max_days_since_checkin = 1; # Delete the key
$date_to_compare = $date_to_compare.AddTicks(-$init_date.ticks) }
$ts = New-Object System.TimeSpan($date_to_compare.ticks) }
$milliseconds_to_compare = $ts.TotalMilliseconds * 10000 Write-Host ("$subscription : Cleaned up $sourcecount out of
$subscriptions = Get-ChildItem $reg_root $totalcount")
$subscriptions | %{ }
$subscription = $_.PSChildName
Write-Host ("Starting cleanup on $subscription")
$sub_path = $reg_root + "\$subscription\EventSources"
$totalcount = 0
$sourcecount = 0
Get-ChildItem $sub_path | %{
$machine = $reg_root +
"\$subscription\EventSources\" + $_.PSChildName
$lastheartbeat = (Get-ItemProperty -Path
$machine).LastHeartbeatTime
$totalcount++
Some things to consider, continued…
Use PerfMon to monitor events being dropped at the WEF/WEC layer.
Configuration of ArcSight WUC Connector
Forwarded Events Enabled (do not use AD for sources) NOTE: For environments with 1. Generate/Copy “windows/sourcehosts.csv” File/Folder – Windows/sourcehosts.csv
Collection serval domains per site. Otherwise, use AD for sources! “We use AD o Open <ARCSIGHT CONNECTOR>\CURRENT\USER\AGENT
for sources.”
Domain Name CONTOSO.LIVE 2. Add any additional parsers to your “windowscfg” Folder
Domain User Name some_service_account
3. Modify CustomEventSource.Map.csv
Domain User Password Password o Open <ARCSIGHT CONNECTOR>\current\user\agent\fcp\windowsfg\customeventsource.map.csv
Active Directory Server xx.xx.xx.xx (NOTE: Run ipconfig /all to change IP based on the server
o Remark…
you are working on.) #Original_Event_Log_Type, Original_Event_Log_Source, Target_Event_Log_Source, Target_Event_Log_Type
FwdSecurityArc,.*,security,Security
Active Directory Base DN DC=CONTOSO,DC=LIVE
4. Modify Agent.Wrapper.Conf
Active Directory Filter (&(cn=*)(operatingsystem=*)(whencreated=*)) o Change JVM Heap Size
# Maximum Java Heap Size (in MB)
Active Directory User some_service_account
Name wrapper.java.maxmemory=2048
Active Directory User Password 5. Modify Agent.Properties File for 03, 04, and 05
Password o Open <ARCSIGHT CONNECTOR>\current\user\agent\agent.properties.conf
Active Directory Protocol non_ssl o Modify to the following
agents[0].maxhostsinsourcehostfile=40000
Active Directory Port 389
agents[0].maxsourcehostsfilesize=10000000
agents[0].sleeptime=-1
Active Directory Max Page 300 agents[0].threadcount=20
Size agents[0].wefcollection=Enabled (use AD for sources)
Global Catalog Server xx.xx.xx.xx agents[0].windowshoststable[0].eventbuffersize=1024
agents[0].windowshoststable[0].eventlogtypes=FwdSecurityArc
Global Catalog Base DN DC=CONTOSO,DC=LIVE
agents[0].windowshoststable[0].eventpollcount=200
agents[0].windowshoststable[0].startatend=true
Global Catalog User Name some_service_account
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Appendix: Table of Errors and Resolution’s
Error Error Message Cause Resolution
5 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Windows Event Collector Verify that your security group and ‘NT
Machine=“contoso.microsoft.com"><f:Message>Access is denied. </f:Message></f:WSManFault> (WEC) does not have Authority\Network Service’ are members of
permission to read Windows the ‘Event Log Readers’ group on the source
event Logs on source computer
computer.
53 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="53" WEC cannot reach the source Ensure that the source computer name
Machine="contoso.microsoft.com"><f:Message>WinRM cannot process the request. The following error occurred while using Kerberos computer over the network. specified is valid, online and can be reached
authentication: Cannot find the computer contoso.microsoft.com. Verify that the computer exists on the network and that the name over the network.
provided is spelled correctly. </f:Message></f:WSManFault>
1818 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="1818" Event Fowarding Pluin (WEF) 1. Verify that ‘NT Authority\Network Service’
Machine="contoso.microsoft.com"><f:Message><f:ProviderFault provider="Event Forwarding Plugin" on the source computer failed is a member of the ‘Event Log Readers’ group
path="%systemroot%\system32\wevtfwd.dll"><t:ProviderError to read events fromSecurity on the source computer.
xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward Plugin failed to read Events log.
events.</t:ProviderError></f:ProviderFault></f:Message></f:WSManFault> 2. If the group membership is correct, try to
reboot the computer.
5004 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5004" Event Fowarding Pluin (WEF) 1. Verify that the source computer is logging
Machine="contoso.microsoft.com"><f:Message><f:ProviderFault provider="Event Forwarding Plugin" on the source computer failed events to the Security Events log.
path="C:\Windows\system32\wevtfwd.dll"><t:ProviderError to read events fromSecurity
xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward plugin can't read any event from Events log. 2. Verify that ‘NT Authority\Network Service’
the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access is a member of the ‘Event Log Readers’ group
to them.</t:ProviderError></f:ProviderFault></f:Message></f:WSManFault> on the source computer.
3. If the ‘Event Log Readers’ group
membership is correct, try to reboot the
computer.
-2144108103 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859193" WEC cannot resolve the Ensure that the source computer name
Machine="contoso.microsoft.com"><f:Message>The WinRM client cannot process the request because the server name cannot be source computer name into IP specified is valid, online and can be reached
resolved. </f:Message></f:WSManFault> address via DNS. over the network.
-2144108250 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" WinRM on source computer is Make sure WinRM is configured properly on
Machine="contoso.microsoft.com"><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is valid, not accepting connection the source computer, a WinRM listener is
that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from from WEC created to accept connection over TCP Port:
this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local 5985 and Host based firewall allows remote
subnet. </f:Message></f:WSManFault> WinRM connection.
Verify WinRM connectivity from a remote
machine by using the following command.
‘winrm id –r:<computer> -auth:none’
-2144108526 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770" Same as Error: ‘-2144108250’ Same as Error: ‘-2144108250’
Machine="contoso.microsoft.com"><f:Message>The client cannot connect to the destination specified in the request. Verify that the
service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service
running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". </f:Message></f:WSManFault>
Appendix: Windows Event Collector Health Monitoring
In order to provide a reliable Windows events collection (WCE) environments, we should monitor the following to ensure collector is healthy and fail-over to the standby WEC server as appropriate.
• Monitor ‘Forwarded Events’ log, custom WEC destination logs and archive logs directory has enough free space. Raise an alert when it is less than 10 times of the maximum log size.
• Monitor ‘Windows Event Collector (wecsvc)’ service is running on the collector.
• Monitor ‘Subscription’ run time status and ensure all source computers are active and no errors.
The following Windows Event Collector events will help monitoring overall WEC health and provide additional troubleshooting information when failure occurred.
ID: 1
Source: Microsoft-Windows-EventCollector
Message: The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. All retries have been performed before reaching this point and so the subscription will remain
inactive on this target until subscription is resubmitted / reset. Additional fault message:%4
ID: 2
Source: Microsoft-Windows-EventCollector
Message: The Subscription %1 could not be activated on machine %2 due to an error. Error Code is %3. Subscription will remain inactive on this target until subscription is resubmitted / reset.
ID: 3
Source: Microsoft-Windows-EventCollector
ID: 4
Source: Microsoft-Windows-EventCollector
Message: The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. The subscription will be in retrying state until the subscription becomes active or all retries have
been performed. Additional fault message:%4
ID: 5
Source: Microsoft-Windows-EventCollector
Message: The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. The subscription will be in retrying state until the subscription becomes active or all retries have
been performed. Additional fault message:%4
ID: 502
Source: Microsoft-Windows-EventCollector
Message: The Subscription %1 detects dropped events. Some events are dropped during transmission from target machine %2. The number of dropped events are %3.
Appendix: WinRM Error Events
The following Windows WinRM Events will help in monitoring the health of both the Server side and Client side of WinRM
and provide additional troubleshooting guidance when a failure occurs.
Event ID Source Message
10110 Microsoft- The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Windows-WinRM
User Action
Please ensure that the Certificate Revocation List is accessible and up-to-date.
10112 Microsoft- The client certificate exceeded the maximum size allowed by the WinRM service.
Windows-WinRM
User Action
Please use a different client certificate or a different authentication mechanism.
10144 Microsoft- The WinRM service had a failure reading the current configuration and is stopping.
Windows-WinRM
User Action
Use the following command to restore defaults:
winrm invoke Restore winrm/config @{}
Then add any custom configuration settings and restart the service.
Additional Data
The error code is: %1 %%%1
10145 Microsoft- The WinRM service had a failure applying the current configuration and is stopping.
Windows-WinRM
User Action
Check for previous event log messages and restart the service.
10146 Microsoft- The WinRM service had a failure reading the current configuration and is stopping.
Windows-WinRM
User Action
Use the following command to restore defaults:
winrm invoke Restore winrm/config @{}
Then add any custom configuration settings and restart the service.
Additional Data
The error code is: %1 %%%1
Appendix: WinRM Error Events Continued…
10147 Microsoft- The host name pattern "%1" is invalid and it will be ignored. Host name patterns must not be empty and they can contain at most one wildcard ("*"). "*" pattern can be used to
Windows-WinRM indicate all hosts; if this pattern is used, no other pattern can show up in the list. Special string "<local>" can be used to indicate all host names that do not have a '.'
User Action
Correct the host name pattern using the syntax described above.
10151 Microsoft- The WinRM service had a failure (%1) reading configuration during ip address change notification.
Windows-WinRM
Service will continue running with old configuration.
User Action
If immediae changes are required manually restart the service
10152 Microsoft- The WinRM service successfully processed an address change notification.
Windows-WinRM
10154 Microsoft- The WinRM service failed to create the following SPN: %1.
Windows-WinRM
Additional Data
The error received was %2: %%%2.
User Action
The SPN can be created by an administrator using setspn.exe utility.
Event ID Definitions
• Windows Server 2000 Event log listing
http://technet.microsoft.com/en-us/library/cc952180.aspx
• Windows Server 2000 Security Event Descriptions
Part 1: http://support.microsoft.com/kb/299475/en-us
Part 2: http://support.microsoft.com/kb/301677/en-us
• Windows Server 2003 auditing event ID listings can be found in two locations
Auditing Policy from Windows Server 2003: Security and Protection: http://technet.microsoft.com/en-us/library/cc779526(v=ws.10).aspx
Chapter 4 of the Windows Server 2003 Security Guide: http://technet.micosoft.com/library/cc163121.aspx
• Windows Server 2008 and Windows Server 2008 R2 events and errors details for general OS components can be found on Microsoft’s TechNet website
http://technet.microsoft.com/en-us/library/cc754424(v=ws.10).aspx
• Windows Server 2008 Component-Based Servicing events
http://technet.microsoft.com/en-us/library/cc756291(v=ws.10).aspx
• Windows 7 AppLocker Event IDs and definitions:
http://technet.microsoft.com/en-us/library/ee844150(v=ws.10).aspx