© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

presents
Windows™ Event Forwarding
(WEF) into HP/ArcSight™ at Scale

Rin Ure
Sr. Security Analyst/Architect
Windows & Devices Group
Security Monitoring Analytics Response Team
(WDGSMART)
 Client Servers GPO s WEC Servers

- WinRM Config
- WEC Targets
- Host Firewall Port 5985
WEF configured via GPO
- NT Service Account
added to Event Log
to “PUSH” events from
Readers Group
CLIENT to WEC SERVER.

Bidirectional
Communication
between Client and
Client Server Port 5985 WinRM Communication
Established
Port 5985 WEC Server
WEC Server

ArcSight Connectors
collect Windows Events
Use ArcSight Connector
Forwards Events
from WEC Server
to collect WEF events
And Deliver those
Bidirectional events to ArcSight ESM,
Client Server WEC Server ArcSight ESM Cosmos – Big Data Solution
Communication ArcSight Loggers, and
ArcSight Connectors Cosmos ArcSight
Loggers
 Client
GPO s Applied:

- WinRM
WEF Event flow
End-to-End
- WEC Targets
- WEC Host Firewall

GPO’s Applied to
WEC Servers
Client Servers
- WinRM Configured and Started via GPO
- WEC Targets assigned through GPO
Communicate with
WEC Target
Start
Communication
- WinRM Configured and Started via GPO
- WEC Subscriptions configured and
Clients and WEC
WECSVC Started
- Host Firewall Allow inbound and outbound traffic over PORT 5985 by GPO - Domain Joined Servers assigned to
Subscription Servers

Clients
Continue
Communcation to
Client
WEC Server Communicates with
Client through WinRM over port
5985
Yes
Is Client
Assigned to me? Configured within
WEC
WEC Server
instructs Client
what events to
No WEC Server
GPO s Applied: Subscriptions
(Load Balanced)
forward
- WinRM
- WEC Targets
- WEC Host Firewall
Decline Client
Request

Starts to Forward Events to

Assigned WEC Target Server Start Event Flow
 (WEF) Client forwarding to a Windows Event Collector (WEC) Server
SCOM Monitoring for failure of events to forward.
GPO – WEC Host Primary – http://primary.microsoft.com:5985/wsman/SubscriptionManager/WEC
GPO – WEC Host Secondary – http://secondary.microsoft.com:5985/wsman/SubscriptionManager/WEC
GPO – WinRM – WinRM qc (Enables WinRM on Client Machines)
GPO – Firewall ACL s – GPO permits or denies traffic flow
(Caveat – Where SCOM is running)
WEC Target URL
Applied by GPO:
Scenarios include:
GPO – Event Log Reader s Group – Add Network Service account and Domain Controllers
- WinRM Service not Running on Client
- WinRM Service set to Start Automatically (Registry Setting)
- PortQry from Client to WEC Target over Port 5985
- WEC Target GPO is Applied to each Client

XTS TestRunner  Xpert for non SCOM Machines and

Monitoring. Same Scenarios as above http://primary.mi
crosoft.com:5985
/wsman/Subscript
ionManager/WEC
Subscription Configuration

Event Logs Forwarding Events

 Application Event Log

- Delivery Mode = PUSH
- Configuration Mode = MinLatency
- Batching:
- Max Items = 50,000
Event Log Readers


System Event Log
Security Event Log (Network Service Log Reader Permissions
for Computers / Domain Controller permissions added to Log
- Max Latency Time = 30,000
- Heartbeat Interval = 360,000
- Read Existing Events = False
Group: Add
Client Server 
Reader for DC s)
Additional / Future Events (MSSQL, Terminal Server, AD FS/
Admin, AppLocker, IIS, & Other Non-Standard Application
WEC Server - Content Format = Events (Non Rendered Text)
- Log File = Application
- Log File = System
“Network Service”
and “Domain
Events) - Log File = ForwardEvents (Where Security Events
will be stored after collection from Client Machine)
- Allowed Source Domain Computers = By Domain
- Configured Events:
- Standard Application Events
- Standard System Events
- Standard Security Events
Controllers”
- Additional / Future Events (MSSQL, Terminal
Server, AD FS/Admin, AppLocker, IIS, & Other Non-
Standard Application Events)
(WEF) Client forwarding to a Windows Event Collector (WEC) Server
– Verification of Event Flow –
Example: Windows Security Event 4624 (Logon Event)
Attempting to forward to WEC Target \\host-a.microsoft.com:5985
Verification of
Event Flow
Logs Forwarding Events
- Application Events Log
- System Events Log
- Forwarded Events Log
- AppLocker Events Log NETSH Command
GPO – WEC Host URL -- http://host-a.microsoft.com:5985/
wsman/SubscriptionManager/WEC
GPO – WinRM Configured and Running
GPO – FireWall ACL s to allow Traffic from/outbound client- WINRM id /r
a.microsoft.com over Port 5985
Command
- Application Events  Application Log
- System Events  System Log
- Security Events  Forwarded Events Log
PORTQRY
- AppLocker Events  Application Log
Command
NOTE: Verify that the Network Service account has permissions to the Security
Event Log – Add Network Service account to Event Log Readers Group as well as
Domain Controllers to collect the Security Events from Domain Controllers as well
Logs Receiving Forwarded Events
- Application Events Log
as the Domain Members. This can be accomplished with a GPO.
Verify that
Network Service
- System Events Log
- Forwarded Events Log

GPO – WinRM Configured and Running

GPO – Firewall ACL s to allow Traffic from/outbound client-
a.mgmt.live over Port 5985
has perms to the
GPO – Event Log Readers Group – Network Service
account and Domain Controllers
Security Event Log
 Syslog to Logger
Windows & Devices Group
WUC – System Events
Security Monitoring Analytics
WEC Servers

WUC – Security Events

Syslog to ESM Response Team
(WDGSMART)
Primary / Secondary
WUC – Application Events
WEF/ArcSight Data Pipeline
Architecture

WEC Server runs 3 (WUC) ArcSight

ArcSight
ArcSight
Logger
Big Data
Cosmos
ArcSight Syslog Connectors assigned to
Windows Unified Connectors & 2
ArcSight Syslog Connectors assigned to
each VIP
ESM VIP
VIP VIP
each VIP
Syslog Connectors

Local WUC  Local Syslog  VIP’s

 SIEM/Loggers/COSMOS

This Architecture is replicated per

ArcSight Loggers x2 Banks (Redundant) Data Center & per Domain
ArcSight ESM s Big Data Cosmos
Configure Client to forward to
WEC Target
Group Policy may be used to configure Source
Computers (Clients) to forward events to a collector
(or set of collectors).

The policy is very simple. It merely tells the Source

Computer to contact a specific FQDN (Fully Qualified
Domain Name) or IP Address and request subscription
specifics. All of the other subscription details are held
on the Event Collector.

The following Group Policy Settings are used to

configure event forwarding:
Computer Configuration\Policies\Administrative
Templates\Windows Components\Event Forwarding\

Configuration Steps

1. Edit the Group Policy Object (GPO) being used.

2. Configure the Configure the server address… option.
3. Set this to Enabled.
4. Click Show, the Subscription Managers dialog will be
displayed.
5. Click Add and enter the address of the Event
Collector.

NOTE: If the Event Collector’s FQDN is

contoso.microsoft.com the server address would be
Server=http://contoso.microsoft.com:5985/wsman/Sub
scriptionManager/WEC

6. Click OK.

NOTE: When editing Group Policy settings ensure that

the Event Collector(s) and Source Computer(s) are
under the management scope of the Group Policy
Object being edited.
Configure the Subscription Properties:

Provide a Subscription Name:

Choose a “Destination Log”: Forwarded Events
Choose Subscription Type: Source Initiated
Select Computer Groups…
Configure Events to Collect
Configure Advanced Settings

Click “OK”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\
Subscriptions
Subscription Example in XML Format
Display WEC Subscription in XML Format:
{gs | get-subscription} <Subid> [/f:<Format>] [/uni:<Unicode>] Displays remote subscription configuration information. <Subid> is a string that uniquely identifies a subscription. <Subid> is the same as the string that was specified in the
<SubscriptionId> tag of the XML configuration file, which was used to create the subscription.

Link http://technet.microsoft.com/en-us/library/cc753183.aspx

Wecutil gs <HOSTNAME> /f:XML

<SUBSCRIPTION_NAME>.XML

<?xml version="1.0" encoding="UTF-8"?>

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>APPLICATION</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description></Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>MinLatency</ConfigurationMode>
<Delivery Mode="Push">
<Batching>l
<MaxItems>50000</MaxItems>
<MaxLatencyTime>30000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="3600000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]</Select><Suppress
Path="Application">*[System[(EventID=60 or EventID=80 or EventID=81 or EventID=7000 or EventID=7036 or EventID=7045 or EventID=9724 or EventID=10009 or EventID=10014 or EventID=36874 or EventID=36888 or EventID=15005 or
EventID=40074 or EventID=26 or EventID=26401)]]</Suppress></Query></QueryList>
]]>
</Query>
<ReadExistingEvents>false</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>Events</ContentFormat>
<Locale Language="en-US"/>
<LogFile>Application</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers>COMPUTERS/GROUPS by SID</AllowedSourceDomainComputers>
</Subscription>
WEF/WEC Components

Configure WINRM (GPO)

- Manual (run winrm –qc/quick config)
applies to both Clients and WEC Servers

Open Network Routes for PORT 5985

Set WEC Target Client Host (GPO)

- http://host-
a.microsoft.com:5985/wsman/Subscripti
onManager/WEC

Add Network Service Account & Domain

Controllers Group to Event Log Readers
Group

Configure WEC Subscriptions

Tune WINRM and WEC Subscriptions

WEC Group Maintenance
WEF Approach with GPOs and Security Groups
• The WDGSMART team delivers Windows events via a mechanism called Windows Event Forwarding (WEF). The way this works in our environment is by using a Group Policy Object (GPO) that
instructs all computers targeted by the GPO to communicate with specific Windows boxes to see if those boxes want any events to be forwarded. We call these targets Windows Event Collectors
(WECs) and there exists a subscription on the WEC boxes. The subscription on a box has security groups attached to it, and if your computer is in the security group… you’ll deliver events to it.
• We can send events to different hosts (provide some horizontal scale) by carefully managing these groups.
Security Group Management
• In order for the above approach to work, you need a mechanism to place computer objects into security groups evenly so that you can leverage the security groups on WEC Subscriptions and
distribute the load. Once you get to about 2500 hosts going to a single WEC subscription, you'll want to consider using security groups.
• The WECGroup_Maintenance utility was written primarily to serve the need of placing computer objects into security groups. The utility assumes that you have created 16 security groups with the
same basic name and the only part that varies is the last character. A convention like WECGroup* or WEFGroup*, etc works fine. The last character position is assumed to be one of the
hexadecimal values (0-9 or A-F).
• The utility is driven by a configuration file where you provide the following information:
• The distinguishedName identifying where you want the utility to search for objects (i.e. DC=CONTOSO,DC=COM or OU=Servers,DC=CONTOSO,DC=COM)
• The security group "base" name (i.e. SECURITY-WECGROUP)
• The distinguishedName identify where you want the utility to look for the security groups in (i.e. OU=Groups,DC=CONTOSO,DC=LIVE)
• The utility does the following:
• It searches for all 16 security groups and the members of each (using the base name and DN provided) and removes any entries that do not belong (based on an algorithm mentioned
below)
• It searches for all computer objects that descend from the DN provided and creates a "plan" for which security groups each object should belong (note: each computer will only ever
belong to one group, and the group it belongs to is always the same)
• Using knowledge of the security group memberships, and the "plan" of which security groups the computers should be members of, the utility will use LDAP to directly update the security
groups adding only those members that are missing
How does the WECGroup_Maintenance Utility Determine the Security Group
• The WECGroup_Maintenance utility pulls Active Directory attributes for every computer object and specifically gathers the CN (Common Name) attribute.
• For example, a computer may have a distinguishedName of CN=Server,OU=Servers,DC=CONTOSO,DC=COM. The CN would be "Server" in this case.
• The CN attribute value is upper-cased (i.e. SERVER)
• The upper cased CN is put through a SHA256 hashing algorithm which produces a string of hexadecimal characters (i.e.
830EF117E1386DFC8C1C22201C5450B6D9EF60AD6FBBDFDACC5CB923C0F799C9)
• The last character in the string is taken (i.e. 9) and appended to the security group "base" name to form the security group that this computer should reside in (i.e. SECURITY-WECGROUP9)
• This approach is not perfect and does not guarantee a completely random distribution of computers into the 16 security groups, however, it is "random enough" and has the benefit of the
following:
• It is 100% consistent and predictable (in terms of which security group a host will be in) -- this makes it easy to have a tool like this only add the computers which are not already added
• It requires no backend database or state information to "remember" how the computer objects were distributed
Some things to consider
WinRM version
• Server 2003 – not installed

• Server 2008 – Version (1.1)

• Server 2008 R2 – Version (2.0)

You will have to deploy WinRM to servers running 2003. You can do this through software distribution or manually. Windows server 2003 can accept either WinRM version (1.1) or (2.0) with (2.0)
being the optimal choice.

• Power Shell (2.0) is installed along with WinRM (2.0).

Notes: WinRM (2.0) is backward compatible with WinRM (1.1).

• WinRM (2.0) – HTTP Port 5985 and HTTPS Port 5986

• WinRM (1.1) – HTTP Port 80 and HTTPS Port 443

There is group policy for backward compatibility with (1.1). This will allow the Event Collector to open Firewall Port 80 and 443 for event forwarding. This is the default port setting. In order for (1.1) to
communicate to (2.0) these ports must be changed to the ports being used by (2.0). Ports 5985, 5986 will still be the default on an Event Collector running WinRM (2.0).

Event Collector setup

• Command Prompt - winrm quickconfig
• Opens Windows firewall for event collection.
• Windows Remote Management (WinRM) service set to Auto (Delayed Start) and started.
• Running WinRM quickconfig on a server with WinRM (2.0) will only open firewall Ports for this version. To open the ‘Compatibility Mode’ firewall ports you will have to enable
‘Compatibility Mode’ in GP.
• Command Prompt – wecutil qc
• Windows Event Collection service (WECSVC) set to Auto (Delayed Start) and started.
• Command Prompt – sc config wecsvc type= own
• Set WECSVC as a Stand-Alone service. By Default this service is a Win32 Shared service.
Some things to consider, continued…
Event Collector Setup, Continued…
Default Settings captured below:
Modify Registry Keys as follows:
1. Open Regedit and expand
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\
Autologger.
2. Select Key EventLog-Application.
3. Change Registry Values to the following:
o BufferSize (Dword) - 2048
o FlushTimer (Dword) - 0
o MaximumBuffers (DWord) - 8192
o MinimumBuffers (DWord) - 0
4. Repeat for Forwarded Events Log as follows:
o BufferSize (Dword) - 2048 (DEC)
o FlushTimer (Dword) - 0 (DEC)
o MaximumBuffers (DWord) - 8192 (DEC)
o MinimumBuffers (DWord) - 0 (DEC)
Alternative Method
Some things to consider, continued…
Event Collector Setup, Continued…
Open CMD prompt and run the following commands to increase the following
logs and their sizes:
• Wevtutil sl Application /ms:4294967296
• Wevtutil sl System /ms:4294967296
• Wevtutil sl FwdSecurityArc /ms:8589934592
• Wevtutil sl ForwardedEvents /ms:8589934592

Using PowerShell, run the following command to set the TCPTIMEWAITDELAY

value to “30”.
• New-ItemProperty –Path
HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters –Name
“TcpTimedWaitDelay” –Type “Dword” –Value “30”

Set the folder path for “FwdArcSecurity” log to the SAME folder path as the
“Forwarded Events” Log:
• D:\Winevt\Logs\ForwardedEvents.evtx
This allows the ArcSight WUC to connect to the “FwdArcSecurity” Log and pull
the events as though it was connected to the “Forwarded Events” Log.
Some things to consider, continued…
Configure WinRM Service with GP
• Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Remote Management/WinRM Service
• Edit Policy {./Allow automatic configuration of listeners}
• Set to enable
• Specify IPv4 and IPv6 filter
• We can use (*) in the filters as long it is used in a trusted network.
• Edit Policy {./Turn on Compatiblitly HTTP Listener}
• Set to enable
• Edit Policy {./Turn on Compatiblitly HTTPS Listener}
• Set to enable

WinRM Enhanced Security by GP – Can be configured if needed.

• Basic Authentication
• Allow CredSPP Authentication
• Allow Unencrypted Traffic
• Disallow unencrypted Traffic
• Disallow Kerberos Authentication
• Disallow Negotiate Authentication
• Trusted Hosts (Client Only)
• Specify channel binding token hardening level (Service Only)
Some things to consider, continued…
Forwarder Resource Usage
• It is possible to control the volume of events sent to the Event Collector by the Source Computer, and this may be required in high volume environments
• The following Group Policy Settings are used to configure Forwarder Resource Usage:
• Computer Configuration/Policies/Administrative Templates/Windows Components/Event Forwarding/ForwardResourceUsage
• This GPO controls resource usage for the forwarder (Source Computer) by controlling the Events/per second sent to the Event Collector. This setting applies
across all subscriptions for the forwarder (Source Computer).

Configure Subscription on Event Collector

Event Delivery Description
Optimization Options
Normal This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded
events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes.

Minimize Bandwidth This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver
events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours.

Minimize Latency This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30
seconds.

It is recommended that you use “Minimize Latency”.

Pre-rendering Events
• If the Source Computer is generating a large volume of forwarded events (e.g. Security events from a Domain Controller) then it is recommended that event
rendering is disabled on the Event Collector. The task of pre-rendering an event on the source computer can be CPU intensive for a large number of events.
• On the Event Collector open a command prompt.
• Type wecutil ss <name of subscription> /cf:events
• This will change the ContentFormat to Events from RenderedText.
Some things to consider, continued…
WinRM Configuration Settings for Windows Event Collector (WEC) Server
winrm set winrm/config @{MaxEnvelopeSizekb="500"}
winrm set winrm/config @{MaxTimeoutms="60000"}
winrm set winrm/config @{MaxBatchItems="32000"}
winrm set winrm/config/client @{NetworkDelayms="5000"}
winrm set winrm/config/client/defaultports @{HTTP="5985"}
winrm set winrm/config/client/defaultports @{HTTPS="5986"}
winrm set winrm/config/service @{MaxConcurrentOperations="4294967295"}
winrm set winrm/config/service @{MaxConcurrentOperationsPerUser="1500"}
winrm set winrm/config/service @{MaxConnections="500"}
winrm set winrm/config/service @{MaxPacketRetrievalTimeSeconds="120"}
winrm set winrm/config/service @{AllowUnencrypted="false"}
winrm set winrm/config/service/defaultports @{HTTP="5985"}
winrm set winrm/config/service/defaultports @{HTTPS="5986"}
winrm set winrm/config/winrs @{AllowRemoteShellAccess="true"}
winrm set winrm/config/winrs @{IdleTimeout="7200000"}
winrm set winrm/config/winrs @{MaxConcurrentUsers="10"}
winrm set winrm/config/winrs @{MaxShellRunTime="2147483647"}
winrm set winrm/config/winrs @{MaxProcessesPerShell="25"}
winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}
winrm set winrm/config/winrs @{MaxShellsPerUser="30"}
Some things to consider, continued…
When using WEF/WEC to collect Windows Events in a VOLATILE if (($totalcount % 1000) -eq 0)
environment, something to consider… {
You may want to PURGE old/stale client registry entries to allow them refresh and start forwarding in their
events again. Write-Host (" Still processing...$totalcount")

}
# Script for Pruning WEC Hosts from Registry if($lastheartbeat -lt $milliseconds_to_compare)
$reg_root =
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptio {
ns"
$sourcecount++
$init_date = Get-Date "1/1/1601"
$max_days_since_checkin = 1; # Delete the key

$date_to_compare = (Get-Date).AddDays(-$max_days_since_checkin) Remove-Item -Path $machine

$date_to_compare = $date_to_compare.AddTicks(-$init_date.ticks) }
$ts = New-Object System.TimeSpan($date_to_compare.ticks) }
$milliseconds_to_compare = $ts.TotalMilliseconds * 10000 Write-Host ("$subscription : Cleaned up $sourcecount out of
$subscriptions = Get-ChildItem $reg_root $totalcount")

$subscriptions | %{ }

$subscription = $_.PSChildName
Write-Host ("Starting cleanup on $subscription")
$sub_path = $reg_root + "\$subscription\EventSources"
$totalcount = 0
$sourcecount = 0
Get-ChildItem $sub_path | %{
$machine = $reg_root +
"\$subscription\EventSources\" + $_.PSChildName
$lastheartbeat = (Get-ItemProperty -Path
$machine).LastHeartbeatTime
$totalcount++
Some things to consider, continued…
Use PerfMon to monitor events being dropped at the WEF/WEC layer.
 Configuration of ArcSight WUC Connector
Forwarded Events Enabled (do not use AD for sources) NOTE: For environments with 1. Generate/Copy “windows/sourcehosts.csv” File/Folder – Windows/sourcehosts.csv
Collection serval domains per site. Otherwise, use AD for sources! “We use AD o Open <ARCSIGHT CONNECTOR>\CURRENT\USER\AGENT
for sources.”
Domain Name CONTOSO.LIVE 2. Add any additional parsers to your “windowscfg” Folder
Domain User Name some_service_account
3. Modify CustomEventSource.Map.csv
Domain User Password Password o Open <ARCSIGHT CONNECTOR>\current\user\agent\fcp\windowsfg\customeventsource.map.csv
Active Directory Server xx.xx.xx.xx (NOTE: Run ipconfig /all to change IP based on the server
o Remark…
you are working on.) #Original_Event_Log_Type, Original_Event_Log_Source, Target_Event_Log_Source, Target_Event_Log_Type
FwdSecurityArc,.*,security,Security
Active Directory Base DN DC=CONTOSO,DC=LIVE
4. Modify Agent.Wrapper.Conf
Active Directory Filter (&(cn=*)(operatingsystem=*)(whencreated=*)) o Change JVM Heap Size
# Maximum Java Heap Size (in MB)
Active Directory User some_service_account
Name wrapper.java.maxmemory=2048

Active Directory User Password 5. Modify Agent.Properties File for 03, 04, and 05
Password o Open <ARCSIGHT CONNECTOR>\current\user\agent\agent.properties.conf
Active Directory Protocol non_ssl o Modify to the following
agents[0].maxhostsinsourcehostfile=40000
Active Directory Port 389
agents[0].maxsourcehostsfilesize=10000000
agents[0].sleeptime=-1
Active Directory Max Page 300 agents[0].threadcount=20
Size agents[0].wefcollection=Enabled (use AD for sources)
Global Catalog Server xx.xx.xx.xx agents[0].windowshoststable[0].eventbuffersize=1024
agents[0].windowshoststable[0].eventlogtypes=FwdSecurityArc
Global Catalog Base DN DC=CONTOSO,DC=LIVE
agents[0].windowshoststable[0].eventpollcount=200
agents[0].windowshoststable[0].startatend=true
Global Catalog User Name some_service_account

Global Catalog User Password

Password
Create Custom “FwdSecurityArc” Log and Link it to Forwarding Events Log for ArcSight WUC to collect Events From.
Default Locations for Windows Logs
Application %SystemRoot%\System32\Winevt\Logs\Application.evtx
Security %SystemRoot%\System32\Winevt\Logs\Security.evtx
System %SystemRoot%\System32\Winevt\Logs\System.evtx
Forwarded Events %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx

Move logs off of C:\ drive onto another non-contended drive.

Create custom Log - This is being set up in order the ArcSight Windows Unified Connector to collect events from the Forwarded Events Log.
• 1. Create Registry Key – FwdSecurityArc with the following steps:
• Open PowerShell and enter the following commands:
• New-Item HKLM:\SYSTEM\CurrentControlSet\Services\EventLog -Name "FwdSecurityArc“
• New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\FwdSecurityArc -Name "File" -Type "ExpandString" -Value
"E:\Winevt\Logs\ForwardedEvents.evtx“
Events in ArcSight
Using Big Data/Cosmos to monitor Asset/Event
Coverage
Using Big Data/Cosmos to track Signed/Unsigned
Applications running…
Using Big Data/Cosmos to build a Heat Map of
Failed Logins
Questions?
Please give me your feedback
Session B5390 Speaker Rin Ure

Please fill out a survey.

Hand it to the door monitor on your way out.
Thank you for providing your feedback, which
helps us enhance content for future events.

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
 Appendix: Table of Errors and Resolution’s
Error Error Message Cause Resolution

5 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Windows Event Collector Verify that your security group and ‘NT
Machine=“contoso.microsoft.com"><f:Message>Access is denied. </f:Message></f:WSManFault> (WEC) does not have Authority\Network Service’ are members of
permission to read Windows the ‘Event Log Readers’ group on the source
event Logs on source computer
computer.
53 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="53" WEC cannot reach the source Ensure that the source computer name
Machine="contoso.microsoft.com"><f:Message>WinRM cannot process the request. The following error occurred while using Kerberos computer over the network. specified is valid, online and can be reached
authentication: Cannot find the computer contoso.microsoft.com. Verify that the computer exists on the network and that the name over the network.
provided is spelled correctly. </f:Message></f:WSManFault>

1818 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="1818" Event Fowarding Pluin (WEF) 1. Verify that ‘NT Authority\Network Service’
Machine="contoso.microsoft.com"><f:Message><f:ProviderFault provider="Event Forwarding Plugin" on the source computer failed is a member of the ‘Event Log Readers’ group
path="%systemroot%\system32\wevtfwd.dll"><t:ProviderError to read events fromSecurity on the source computer.
xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward Plugin failed to read Events log.
events.</t:ProviderError></f:ProviderFault></f:Message></f:WSManFault> 2. If the group membership is correct, try to
reboot the computer.
5004 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5004" Event Fowarding Pluin (WEF) 1. Verify that the source computer is logging
Machine="contoso.microsoft.com"><f:Message><f:ProviderFault provider="Event Forwarding Plugin" on the source computer failed events to the Security Events log.
path="C:\Windows\system32\wevtfwd.dll"><t:ProviderError to read events fromSecurity
xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward plugin can't read any event from Events log. 2. Verify that ‘NT Authority\Network Service’
the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access is a member of the ‘Event Log Readers’ group
to them.</t:ProviderError></f:ProviderFault></f:Message></f:WSManFault> on the source computer.
3. If the ‘Event Log Readers’ group
membership is correct, try to reboot the
computer.
-2144108103 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859193" WEC cannot resolve the Ensure that the source computer name
Machine="contoso.microsoft.com"><f:Message>The WinRM client cannot process the request because the server name cannot be source computer name into IP specified is valid, online and can be reached
resolved. </f:Message></f:WSManFault> address via DNS. over the network.

-2144108250 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" WinRM on source computer is Make sure WinRM is configured properly on
Machine="contoso.microsoft.com"><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is valid, not accepting connection the source computer, a WinRM listener is
that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from from WEC created to accept connection over TCP Port:
this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local 5985 and Host based firewall allows remote
subnet. </f:Message></f:WSManFault> WinRM connection.
Verify WinRM connectivity from a remote
machine by using the following command.
‘winrm id –r:<computer> -auth:none’
-2144108526 <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858770" Same as Error: ‘-2144108250’ Same as Error: ‘-2144108250’
Machine="contoso.microsoft.com"><f:Message>The client cannot connect to the destination specified in the request. Verify that the
service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service
running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: &quot;winrm quickconfig&quot;. </f:Message></f:WSManFault>
Appendix: Windows Event Collector Health Monitoring
In order to provide a reliable Windows events collection (WCE) environments, we should monitor the following to ensure collector is healthy and fail-over to the standby WEC server as appropriate.
• Monitor ‘Forwarded Events’ log, custom WEC destination logs and archive logs directory has enough free space. Raise an alert when it is less than 10 times of the maximum log size.
• Monitor ‘Windows Event Collector (wecsvc)’ service is running on the collector.
• Monitor ‘Subscription’ run time status and ensure all source computers are active and no errors.

The following Windows Event Collector events will help monitoring overall WEC health and provide additional troubleshooting information when failure occurred.

Event ID 1 – Event Source Activation failed.

http://technet.microsoft.com/en-us/library/dd348618(v=ws.10).aspx

ID: 1

Source: Microsoft-Windows-EventCollector

Message: The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. All retries have been performed before reaching this point and so the subscription will remain
inactive on this target until subscription is resubmitted / reset. Additional fault message:%4

Event ID 2 – Event Subscription Activation failed.

http://technet.microsoft.com/en-us/library/dd363793(v=ws.10).aspx

ID: 2

Source: Microsoft-Windows-EventCollector

Message: The Subscription %1 could not be activated on machine %2 due to an error. Error Code is %3. Subscription will remain inactive on this target until subscription is resubmitted / reset.

Event ID 3 – Event Subscription Expired.

http://technet.microsoft.com/en-us/library/dd315497(v=ws.10).aspx

ID: 3

Source: Microsoft-Windows-EventCollector

Message: The Subscription %1 has expired and will no longer be serviced.

Appendix:
Event ID 4 – Event Subscription in retrying state.
http://technet.microsoft.com/en-us/library/dd348608(v=ws.10).aspx

ID: 4

Source: Microsoft-Windows-EventCollector

Message: The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. The subscription will be in retrying state until the subscription becomes active or all retries have
been performed. Additional fault message:%4

Event ID 5 – Event Subscription Activated successfully on source computer.

http://technet.microsoft.com/en-us/library/dd363755(v=ws.10).aspx

ID: 5

Source: Microsoft-Windows-EventCollector

Message: The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. The subscription will be in retrying state until the subscription becomes active or all retries have
been performed. Additional fault message:%4

Event ID 502 – Events dropped from source computer.

http://technet.microsoft.com/en-us/library/dd348577(v=ws.10).aspx

ID: 502

Source: Microsoft-Windows-EventCollector

Message: The Subscription %1 detects dropped events. Some events are dropped during transmission from target machine %2. The number of dropped events are %3.
Appendix: WinRM Error Events
The following Windows WinRM Events will help in monitoring the health of both the Server side and Client side of WinRM
and provide additional troubleshooting guidance when a failure occurs.
Event ID Source Message
10110 Microsoft- The WinRM service cannot validate the client certificate because the revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Windows-WinRM
User Action
Please ensure that the Certificate Revocation List is accessible and up-to-date.
10112 Microsoft- The client certificate exceeded the maximum size allowed by the WinRM service.
Windows-WinRM
User Action
Please use a different client certificate or a different authentication mechanism.
10144 Microsoft- The WinRM service had a failure reading the current configuration and is stopping.
Windows-WinRM
User Action
Use the following command to restore defaults:
winrm invoke Restore winrm/config @{}
Then add any custom configuration settings and restart the service.
Additional Data
The error code is: %1 %%%1
10145 Microsoft- The WinRM service had a failure applying the current configuration and is stopping.
Windows-WinRM
User Action
Check for previous event log messages and restart the service.
10146 Microsoft- The WinRM service had a failure reading the current configuration and is stopping.
Windows-WinRM
User Action
Use the following command to restore defaults:
winrm invoke Restore winrm/config @{}
Then add any custom configuration settings and restart the service.
Additional Data
The error code is: %1 %%%1
Appendix: WinRM Error Events Continued…

10147 Microsoft- The host name pattern "%1" is invalid and it will be ignored. Host name patterns must not be empty and they can contain at most one wildcard ("*"). "*" pattern can be used to
Windows-WinRM indicate all hosts; if this pattern is used, no other pattern can show up in the list. Special string "&lt;local&gt;" can be used to indicate all host names that do not have a '.'
User Action
Correct the host name pattern using the syntax described above.

10151 Microsoft- The WinRM service had a failure (%1) reading configuration during ip address change notification.
Windows-WinRM
Service will continue running with old configuration.
User Action
If immediae changes are required manually restart the service

10152 Microsoft- The WinRM service successfully processed an address change notification.
Windows-WinRM
10154 Microsoft- The WinRM service failed to create the following SPN: %1.
Windows-WinRM
Additional Data
The error received was %2: %%%2.
User Action
The SPN can be created by an administrator using setspn.exe utility.

10156 Microsoft- The WinRM service failed to initialize CredSSP.

Windows-WinRM
Additional Data
The error received was %1.
User Action
Configure CertificateThumbprint setting under the WinRM configuration for the service. Use the thumbprint of a valid certificate and make sure that Network Service has access to the
private key of the certificate.
Appendix: Useful Links
Configuring HTTPS
http://support.microsoft.com/kb/2019527
http://msdn.microsoft.com/en-us/library/bb870973(VS.85).aspx
Event Subscriptions
http://go.microsoft.com/fwlink/?linkid=71431
Source vs Collector Initiated Subscriptions
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx
Advanced Subscription Settings
http://technet.microsoft.com/en-us/library/cc749167.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/bb736545(v=vs.85).aspx (Wecutil.exe)
http://support.microsoft.com/kb/138365 (How to Auto-disconnect)

Event ID Definitions
• Windows Server 2000 Event log listing
http://technet.microsoft.com/en-us/library/cc952180.aspx
• Windows Server 2000 Security Event Descriptions
Part 1: http://support.microsoft.com/kb/299475/en-us
Part 2: http://support.microsoft.com/kb/301677/en-us
• Windows Server 2003 auditing event ID listings can be found in two locations
Auditing Policy from Windows Server 2003: Security and Protection: http://technet.microsoft.com/en-us/library/cc779526(v=ws.10).aspx
Chapter 4 of the Windows Server 2003 Security Guide: http://technet.micosoft.com/library/cc163121.aspx
• Windows Server 2008 and Windows Server 2008 R2 events and errors details for general OS components can be found on Microsoft’s TechNet website
http://technet.microsoft.com/en-us/library/cc754424(v=ws.10).aspx
• Windows Server 2008 Component-Based Servicing events
http://technet.microsoft.com/en-us/library/cc756291(v=ws.10).aspx
• Windows 7 AppLocker Event IDs and definitions:
http://technet.microsoft.com/en-us/library/ee844150(v=ws.10).aspx

Additional Useful Links

• Distributed Management Task Force, Inc: Web Services for Management (WSManagement) Specification.
http://www.dmtf.org/standards/published_documents/DSP0226_1.0.0.pdf
• Microsoft Corporation: Credential Security Support Provider (CredSSP) Procotol.
http://msdn.microsoft.com/enus/library/cc226764(v=prot.20).aspx
• Microsoft Corporation: Windows Error Codes.
http://msdn.microsoft.com/en-us/library/cc231196.aspx
• Microsoft Corporation: Web Services Management Protocol Extensions for Windows Vista.
http://msdn.microsoft.com/enus/library/cc251526(prot.20).aspx
• Microsoft Corporation: Setting up a Source Initiated Subscription.
http://msdn.microsoft.com/en-us/library/bb870973(VS.85).aspx