Did you know that Windows has had a built-in capability to function as a SIEM (Security Information and Event Management) system for years, provided you stay within the Windows ecosystem? This powerful feature, known as Windows Event Forwarding (WEF), allows you to centralize event logs from multiple Windows machines, giving you a comprehensive view of your network’s activities.
Today, we’re going to delve into how to use and set up Windows Event Forwarding to get an inventory going on NTLM v1 traffic. By configuring WEF, you can monitor and analyze all kinds if events, helping you detect and address potential security issues in real-time.
Introduction
Windows Event Forwarding (WEF) is a built-in feature available in Microsoft Windows operating systems designed to help organizations manage and analyze event logs in a structured and efficient manner. With WEF, system administrators can centralize event logs from multiple Windows computers and forward them to a central server, providing a consolidated overview of what is happening on those computers.
This functionality is particularly valuable for security and monitoring purposes because it allows organizations to track events in real-time, detect suspicious activities, and quickly identify security incidents. By using WEF, organizations can also reduce the amount of data traffic needed to retrieve event logs from multiple sources, thereby decreasing network load and improving efficiency.
This guide will show the steps on how Windows Event Forwarding should be configured, managed, and used to gain insights from the event logs of Windows computers connected to a domain, with a specific focus on the inventory of NTLMv1. Understanding and correctly implementing WEF can be an important step in improving the security and management of any IT infrastructure.
Architecture overview
The architecture for Windows Event Forwarding (WEF) in this document is based on a domain network where various components play critical roles in effectively managing and analyzing event log data.
- Domain Controllers: Domain controllers play a crucial role in handling authentication and enforcing configuration settings on all computers and devices within the domain. They ensure that event logs are correctly generated and logged by the endpoints.
- Log collectors: Log collectors are responsible for gathering event log data from endpoints, both clients, and servers, within the domain. These log collectors act as central storage points for log data, enabling consolidated analysis and monitoring.
- Endpoints (clients and servers): All machines within the domain are configured to forward event log data to the log collectors. These endpoints are essential for capturing relevant events and forwarding them to the central collection points.
It is important to note that machines outside the domain network are out of the scope of this blog, I’ll write about that feature in the near future. External machines perform their authentication against the domain controllers and servers within the domain where events are captured and logged. For the inventory of NTLMv1 authentication, there is less emphasis on these external machines since most relevant authentication events occur within the internal domain network and can be intercepted accordingly.
Requirements
Before Windows Event Forwarding (WEF) can be used, certain requirements must be met. These ensure smooth implementation without limitations.
- Windows version and edition: Ensure that both the source computers and the destination computer where you want to centralize event logs are running Windows operating systems that support WEF. WEF is available in Windows Vista and later versions, including Windows Server operating systems. It is recommended to use the latest version of Windows Server (Windows Server 2019+).
- Network connectivity: Ensure that all involved computers can communicate within the network. Necessary firewall rules must be configured to ensure that event logs can be safely forwarded to the central server. Using secure communication with Kerberos is strongly recommended to ensure the confidentiality and integrity of log data. Network traffic uses WSMAN port 5985.
- Rights and permissions: To set up and manage WEF, you need administrative rights on both the source computers and the target server. No domain admin rights are needed other than configuring the group policy objects.
- Log source configuration: Carefully configure the event logs on the source computers. You need to determine which events you want to collect and forward to the central server. This includes enabling the correct log channels and filtering events based on their relevance to your monitoring and security purposes.
Hardware requirements
The hardware requirements for a single log collector can vary depending on several factors, such as the volume of log data you want to collect, the frequency of events, and the complexity of your analysis needs. Generally, the more data you collect and analyze, the more powerful the hardware needs to be. Here are some general recommendations for the hardware requirements of a log collector:
- Processor (CPU): A multi-core processor with good processing speed is important for efficiently processing event logs. The exact requirements vary, but a modern quad-core processor or better is recommended. The processor should have a minimum of 4 cores.
- Memory (RAM): The amount of RAM depends on the volume of log data and the complexity of your analyses. Generally, at least 16 GB of RAM is recommended.
- Storage: Sufficient storage space is needed to store log data before it is forwarded to a central location. The required storage space depends heavily on the amount of data you collect and how long you want to retain it. Due to the high level of I/O used for writing the data, a fast and reliable storage solution, such as an SSD, is recommended for optimal performance. A minimum storage disk of 80GB is also recommended for the OS Disk.
- Network Interface: A fast network connection is essential, especially if you are collecting log data from multiple sources. A gigabit Ethernet connection is minimally recommended.
Collector requirements
The log collector has the capacity to receive data from a maximum of 4000 clients. This means that up to 4000 Windows computers or devices can forward their event logs to this collector for further analysis and storage. It is important to keep this maximum number in mind when planning the implementation to ensure it meets the needs of your organization. If you plan to collect data from more than 4000 clients, consider deploying multiple collectors to distribute the load and maintain optimal performance.
Performance updates
For users of Windows Server 2016 and Windows Server 2019, specific updates are available that offer performance improvements for the use of Windows Event Forwarding (WEF). These updates, KB4537806 for Windows Server 2016 and KB4537818 for Windows Server 2019, are designed to enhance the overall performance and efficiency of WEF.
It is important to note that these updates are typically installed as part of regular Windows updates, provided optional updates are enabled. Given that they can offer significant improvements for WEF implementations, they are highly recommended for organizations deploying WEF to collect and manage event logs.
Windows event collector setup
The Windows Event Collector (WEC) is a crucial component for the centralized inventory of event logs. It acts as the central collection point for event logs within the domain network and is responsible for receiving and storing log data from endpoints such as clients and servers. Here are the steps to configure it.
Windows Remote Management (WinRM – WSMAN)
Windows Remote Management (WinRM) is a Microsoft service that enables remote communication and management of Windows systems over a network. It allows administrators to execute commands, change configurations, and retrieve data from remote computers running Windows operating systems. With WinRM, administrators can manage system resources and retrieve data from multiple Windows machines without physically accessing each individual computer, which is useful for tasks such as configuration management, troubleshooting, and automation. WinRM is an essential component in using WEF. The following actions are necessary on the WEF collectors.
Note! Windows Server 2008R2 and higher have WinRM enabled by default. The steps below are necessary to ensure this configuration.
WinRM listener
Command-line:
winrm enumerate winrm/config/listener
Expected output:
To view the complete configuration, use the command-line:
winrm get winrm/config
Windows firewall
Run the following command-line in an elevated PowerShell console:
Get-NetFirewallRule | Where-Object {$_.Displayname -Like "Windows Remote Management (HTTP-In)" -and $_.Profile -like "*Domain*"} | Select Enabled
Expected output:
Windows Remote Management service
Run the following command-line in an elevated PowerShell console:
Get-Service -Name WINRM | select StartType
Expected output:
Corrective action
If any of the above measures do not produce the desired effect, the following cmdlet can be executed to configure the log collector for using Windows Remote Management:
Enable-PSRemoting
WinRM collector adjustments for Server 2016/2019
On the collector, both the Windows Event Collector service (WecSvc) and the Windows Remote Management service (WinRM) use certain URLs. However, the default access control lists (ACLs) for these URLs only allow access for the svchost process that runs WinRM. In the default configuration of Windows Server 2016, both WinRM and WecSvc run in a single svchost process. Because this process has access, both services function correctly. However, if you change the configuration so that the services run in separate host processes, WecSvc no longer has access, and event forwarding stops working.
The services function differently in Windows Server 2019. If a Windows Server 2019 computer has more than 3,5 GB of RAM, WinRM and WecSvc run in separate svchost processes by default. Due to this change, event forwarding may also not work correctly in the default configuration.
To correct this oversight, run the following commands in an elevated command console:
netsh http delete urlacl url=http://+:5985/wsman/
netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
netsh http delete urlacl url=https://+:5986/wsman/
netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Note! When you have upgraded to Server 2022 from 2016 or 2019 you should also take the steps described here.
Note! This correction does not apply to a new installation of Windows Server 2022.
Restart the server or service after making the changes. To view the current configuration, use the command-line:
netsh http show urlacl
Setting up a Windows Event Forwarding (WEF) subscription
A WEF subscription is used to collect specific events from source computers within the domain and forward them to the Windows Event Collector (WEC) for centralized storage and analysis. Here are the steps to set up a WEF subscription:
On the log collector server, open the event viewer and navigate to “Subscriptions”. Click “Yes” when you receive the following prompt.
Right-click on “Subscriptions” and select “Create Subscription”.
In the dialog box, give the subscription a name and select: “Source computer initiated” then click on “Select Computer Groupsโฆ”.
Click on “Add Domain Computers” and add the computer group that needs to forward events. It is advisable to select “Domain Computers” here. Machines will then have the ability to forward events but will need further configuration.
Note! When targeting Domain Controllers, select the group “Domain Controllers” as these are not a part of “Domain Computers”.
Click “OK” in this dialog box. Click “Advanced” at the bottom of the screen and select the option “Minimize Latency”. Click “OK”. These options are available:
- “Normal” pull delivery every 15 minutes.
- “Minimize Bandwidth” push delivery every 6 hours.
- “Minimize Latency” for critical events push delivery every 30 seconds.
Note! The “HTTP” protocol is secured by Kerberos encryption.
In the “Select Events” dialog box, specify the event configuration. This can be done in the UI section or via an XPATH (XML tab). Since detecting NTLMv1 is outside the scope of the UI, the following configuration via an XPath filter is recommended:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)]] and Event[EventData[Data[@Name='LmPackageName'] and (Data='NTLM V1' or Data='LM')]] </Select>
<Suppress Path="Security">*[EventData[Data[@Name='TargetUserName'] and (Data='ANONYMOUS LOGON')]]</Suppress>
</Query>
</QueryList>
Note! When Windows does not detect NTLMv2 authentication, it assumes NTLMv1 is being used even when an “Anonymous Logon” occurs. This can create the impression that NTLMv1 authentication is taking place despite enforced policies. To filter this out, the “Suppress” option is added as shown above. For more information, see Microsoft’s documentation.
Click “OK” twice to return to the subscription. It will now be configured according to the set conditions. The following will be representative of this setup.
Event log size
Adjusting the size of the “Forwarded Events” log is important to ensure there is enough space to store log data. Here’s the command-line to set the event log size to 1 gigabyte:
wevtutil sl forwardedevents /ms:1000000000
Log archiving
Log archiving is an important part of event log management. When an event log is full and can no longer contain data, archiving can be enabled to store older events before new data is recorded. This ensures important log data is preserved for further analysis even when the log is full. Enabling this feature ensures no valuable data is lost. Here is the command-line to enable archiving:
wevtutil sl forwardedevents /ab:true /rt:true
WEF configuration via a Group Policy object (GPO)
A Group Policy Object (GPO) is the way to manage the Windows Event Forwarding (WEF) configuration on multiple computers within the domain. Here are the steps to create a WEF configuration via a GPO:
In “Group Policy Management,” create a group policy object in the organizational unit where the machines that need to receive the WEF configuration are located. This GPO can be filtered based on computer names or a specific group.
Note! Assigning a group to a computer object requires a reboot of the respective host.
Hint! This policy exclusively uses computer configuration, therefore set the GPO Status to: โUser configuration settings disabled.โ
In the policy, navigate to:Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups
Add a group named โEvent Log Readersโ and click โOKโ.
In โMember of this group,โ click โAddโ and add the pseudo group โNT AUTHORITY\Network Service.โ Click โOKโ twice to return.
Note! The above must be done to give the โNetwork Serviceโ rights to read and forward event logs to the collector.
In the policy, navigate to:Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services
Configure the โWindows Remote Managementโ service to start automatically. Click โOKโ to return.
In the policy, navigate to:Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Forwarding
Set the following policies:
- Configure forwarder resource usage: Enabled
- The maximum forwarding rate: 500
- Configure target Subscription Manager: Enabled
Server=http://<FQDN of the collector>:5985/wsman/SubscriptionManager/WEC,Refresh=120
Note! The maximum forwarding rate indicates how many log entries a host can forward at a time. A typical deployment will be between 500 and 1000 entries.
Note! The specified refresh interval is for retrieving the WEF configuration from the subscription. When there are few or no changes, this value can be increased.
In the policy, navigate to:Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Log Service -> Security
Set the following policy:
- Configure Log Access: Enabled
- Log Access:
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
Note! In many blogs, S-1-5-20 is replaced by โNSโ. This does not work on a Domain Controller; hence, the SID is used in this rule.
Checking the WEF configuration
Once the previously shown configuration is successfully implemented, the log collector configured, and the policies applied to the hosts that need to forward the event log, the endpoints will eventually check in with the log collector.
On the log collector, open the Event Viewer โ Subscriptions. The number of โSource Computersโ will increase over time.
Right-click and select โRuntime Statusโ to observe the individual endpoints.
Generating a control event
To test and verify the functionality of Windows Event Forwarding (WEF) and ensure that events are correctly forwarded to the ‘Forwarded Events’ logs, you can execute the following PowerShell command on one of the hosts within the domain:
Write-EventLog -LogName System -EventId 4624 -EntryType Information -Source "System" -Message "This is an event generated for WEF testing purposes"
Note! This event uses the “System” event log instead of “Security”. Access to the security log is restricted and cannot be easily written. To test the above, an additional subscription is needed with the System event log selected.
Open the Event Viewer โ> Forwarded Events
to check for the generated test event.
Auditing and Group Policy requirements for NTLMv1 logging
To properly capture and log NTLMv1 events, advanced auditing must be enabled, and the correct Group Policy settings must be configured on the relevant Windows computers within the domain. Here are the requirements and steps:
Advanced auditing
Advanced auditing is a feature in Windows operating systems that allows detailed logging of specific events and actions on a computer. It provides more in-depth and accurate information than standard logging, enabling administrators and security professionals to gain detailed insights into system behavior and identify potential security issues.
The default configuration already activates the relevant settings. However, it is advisable to perform a preliminary check to ensure the desired auditing is present. Execute the following command-line:
auditpol.exe /get /category:Logon/Logoff
Note! Logon must have at least success enabled to generate the desired events.
NTLM Auditing in Group Policy
Ensure that the GPO with the configured audit policy settings is applied to the target computers. Link the GPO to the relevant organizational unit (OU).
In the policy, navigate to:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
- (All domain members, incl DCs):
Network Security: Restrict NTLM: Audit Incoming NTLM Traffic:
Enable auditing for domain accounts. - (All domain members, incl DCs):
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers: Audit All. - (Domain Controllers only):
Network Security: Restrict NTLM: Audit NTLM authentication in this domain: Enable all.
Forcing NTLMv1 for testing purposes
Forcing NTLMv1 authentication within a managed domain requires specific steps and considerations to ensure it is done safely. This chapter focuses on the procedure and considerations for enabling NTLMv1 authentication for testing purposes within a Windows environment. The following steps are discussed to effectively manage this process.
Domain Controller
In a policy on the organizational unit for domain controllers, the group policy setting “Network security: LAN manager authentication level” should not be set to or should not have the maximum value of 5 “Send NTLMv2 response only/refuse LM”, any other setting is fine for testing.
Server class devices
Server class devices do not require changes as long as domain accounts are used for testing.
EndPoint devices
A Windows EndPoint device must have the value “Send LM & NTLM responses” in the group policy setting “Network security: LAN manager authentication level”.
A reboot is not strictly necessary.
Authentication test
From the Windows EndPoint device, open a CIFS/SMB share on an IP address or an HTTP(S) request on an IP address to an IIS web server configured for NTLM authentication. This server can be part of the created subscription, but it’s not a requirement as the DC handles the authentication.
The 4624 event will appear in the security event log of the DC where a connection is made. If properly configured, this event will be forwarded to the log collector within 30 seconds.
Troubleshooting
Although Windows Event Forwarding is a powerful tool for collecting and centrally managing Windows events, challenges and issues can sometimes arise during its implementation. This chapter is dedicated to identifying, diagnosing, and resolving problems that may occur with Windows Event Forwarding. I will cover various common issues along with steps and techniques to effectively address them. By becoming familiar with troubleshooting, you can ensure that the Windows Event Forwarding implementation runs smoothly and that important data is always available for analysis.
Event log locations
- Application and Services Logs – Microsoft – Windows
- EventLog-Forwarding Plugin (log)
- Windows Remote Management (log)
- Event Collector (log)
Firewall rules
- Windows Firewall ports Windows Remote Management (HTTP-In) Port 5985 configured for inbound communication.
- Windows Firewall ports Windows Remote Management (HTTP-In) โ Compatibility Mode – Port 80 configured for inbound communication.
- Windows Firewall ports Windows Remote Management (HTTPs-In) configured for inbound communication.
Basic firewall connectivity
Test-NetConnection -ComputerName prod-mon.corp.michaelwaterman.nl -port 5985
Check WinRM connectivity
winrm id -remote:<source_computer_name> -auth:none
WinRM settings
winrm get winrm/config
WinRM client configuration
winrm get winrm/config/client/auth
WinRM server configuration
winrm get winrm/config/service/auth
WinRM service configuration
winrm get wmi/root/cimv2/Win32_Service?Name=WinRM
Reset WinRM to default
winrm invoke restore winrm/config @{}
WinRM related security groups
- Local administration.
- Domain administrator
Display all registered machines to the subscription
wecutil gr <Subscription>
All about NTLM values
LM-manager (LM) authentication is the protocol used to authenticate Windows clients for network operations, including domain memberships, access to network resources, and user or computer authentication. The LM authentication level determines which challenge/response authentication protocol is negotiated between the client and server computers. Specifically, the LM authentication level determines which authentication protocols the client will attempt to negotiate or which the server will accept. The value set for LmCompatibilityLevel determines which challenge/response authentication protocol is used for network logons. This value affects the level of the authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers.
Value | Setting | Description |
---|---|---|
0 | Send LM & NTLM responses. | EndPoints use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication. |
1 | Send LM & NTLM – use NTLMv2 session security if negotiated. | EndPoints use LM and NTLM authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. |
2 | Send NTLM response only. | EndPoints use only NTLM authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. |
3 | Send NTLMv2 response only. (Windows 7+ default) | EndPoints use only NTLMv2 authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. |
4 | Send NTLMv2 response only/refuse LM. | EndPoints use only NTLMv2 authentication and use NTLMv2 session security if the server supports it. Domain controllers refuse LM authentication and only accept NTLM and NTLMv2 authentication. |
5 | Send NTLMv2 response only/refuse LM & NTLM. | EndPoints use only NTLMv2 authentication and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM authentication and only accept NTLMv2 authentication. |
Additional info
This chapter contains various references that are not included in the main part of the post and are intended to further support the NTLM traffic inventory process.
NTLM Registry key settings
- Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Value:
LmCompatibilityLevel
- Type:
DWORD
PowerShell for auditing activation
# Audit NTLM Authentication in this domain: Enable all - Domain Controllers Only
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\Netlogon\Parameters' -Name AuditNTLMInDomain -Value 7
# Audit incoming NTLM traffic: Enable auditing for all accounts
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -Name AuditReceivingNTLMTraffic -Value 2
# Restrict NTLM: Outgoing NTLM traffic to remote servers: Audit All
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -Name RestrictSendingNTLMTraffic -Value 1
Final thoughts
Implementing Windows Event Forwarding (WEF) is a powerful way to enhance your organization’s security and monitoring capabilities. By centralizing event logs and focusing on NTLM v1 traffic, you can gain valuable insights into your network’s authentication processes and identify potential security risks.
While setting up WEF may require some initial effort and configuration, the benefits of having a comprehensive, real-time view of your network’s activities are well worth it. This guide has provided you with the necessary steps and considerations to get started, but remember that ongoing monitoring and adjustment are key to maintaining an effective security posture.
I followed the directions and cant get it to work. Cant you provide additional help?
What seems to be the problem?
When I ran the WEF Test on the domain controller I have the subscription on I get this message.
The description for Event ID 4624 from source System cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
This is an event generated for WEF testing purposes
the message resource is present but the message is not found in the string/message table
If I’m not mistaken this is the test message as expected. If you want to be sure, just create a subscription that includes everything from the application log. That should trigger multiple events to come in. Or create a specific subscription and trigger the creation of an event with PowerShell.
I did include a troubleshooting section in my blog, perhaps that helps.
Hi Michael,
great blog post this helped me a lot. Thank you very much.
But the code “Server=http://:5985/wsman/SubscriptionManager/WECRefresh=120” isn’t correct. In the screenshot is a comma between “WEC” and “Refresh=120” which is not in the code. Searched quite a bit why my WEF setup wasn’t working. ๐
Best regards,
Bjoern
Excellent catch! Adjusted it in the post. Thanks so much for the feedback, happy to read it helped.
Thank you for the article. I followed your article to create a collector-initiated subscription, but I’m getting an ‘access denied’ error on the ‘runtime status.’ However, when I create a source-initiated subscription, I’m able to get the logs and the ‘runtime status’ shows ‘running okay.’ Where am I making a mistake?”
Hi John,
Can’t remember getting that error before. What user rights are you logging in with? Any hardening templates applied to the system?
Hi Michael,
Thank you for the good article. I followed your steps but couldn’t make it work when I configured it as a collector-initiated subscription. It gives an “access denied” error. However, source-initiated subscriptions work! I can’t figure out where the collector needs to be given permission.
Hi John,
Canโt remember getting that error before. What user rights are you logging in with? Any hardening templates applied to the system?
Hi Michael,
I was able to fix the issue and work. Thank you for the article. I have a question on push server logs forwarding and cannot find a KB article on best practices. I hope you can help me!
Now, our domain controller is forwarding to the collector. If we set the domain controller to archive the logs at every 2GB or more to free up the space, will the archive remove the logs before forwarding? If so, what kind of setting do we have to do at the domain controller without missing any logs?
I logged on as a domain admin, as this is my lab environment before deploying to production. In the advanced subscription setting, instead of a “machine account” I selected “User” and entered the user as a domain admin. Surprisingly, I didn’t encounter any errors, and it started collecting logs. However, I prefer not to use a user account and would rather rely on a “machine account” I noticed you set “Event Log Readers” and added “NT AUTHORITY\Network Service” as a member. Should I add collector server in addition Network /service?