Monitor Services and Event Logs on Windows Servers

winsysadmin

2/7/24, 9:59 PM

We are standing up a new environment and will be installing SIEM tools, etc. in the future. We have a few dozen Windows 2019 servers so far. I've been tasked with providing a solution for monitoring Windows Services and Event Logs in the near term until formal tools are put in place. Preferably free and Microsoft, but open to suggestions. This is a disconnected environment, no internet. Thanks in advance!

162

1 + 0

windows

monitoring

active-directory

windows-event-log

Score:0

Server

Michel de Crevoisier

2/9/24, 12:39 PM

So far, if you are looking for a solution for monitoring (and collecting ) Windows logs until your final SIEM solution is in place, I can suggest the following approaches:

Consider a descent technical stack where you can perform what you are trying to achieve in regards of the collected data (ingestion, indexing, research, alerting, dashboards...):

ELK (Elastic/Logstash/Kibana)
Graylog (Elastic based)
Other alternatives: HELK, RedELK...

Consider how to collect the logs from your Windows servers:

Agentless: use the native solution from Microsoft (Windows Event Forwarding/Windows Event Collector). You can check a find a full automated deployment script in my repository. This allow you to collect all the servers logs on a Windows central server. Afterwards up to you to forward these logs to a SIEM solution using the most suitable agent (see next point).
With agent: this depends on your requirements, capacities of deploying the agents and to manage them. For 12 servers, the Winlogbeat, Snare or NXLog Free agent solution can help you. For more servers, a managed agent solution will be helpful. You can use the one provided with your SIEM (Splunk, ArcSight...) or use NXLog Pro which provides quiet advanced features. But this depends on your requirements. In case you go with WEF/WEC, you will only need to install the agent on the WEC server.

For auditing activation, be aware that Windows logs come very a very low logging verbosity. Therefore you will need to define the events you are looking for. You can find good documentation online but you can also check this project which provides detailed guidelines (incl. GPO). It will assist you with the settings to activate, and the mapping between event IDs, MITRE TTPs and the auditing settings.

Finally consider you scope and data sources. Are you planning to only onboard domain controllers, or servers as well (recommended)? In regards of data sources, think about your server roles (ADDS, ADCS, ADFS, OCSP, SQL Server, AOVPN, DHCP, DNS, NPS... as they will require additional effort. Some for roles also write the logs in a log file (DNS, DHCP and IIS transactions). Ensure that they are part of you coverage in case they are relevant to you.

Hope this answer will help you.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Monitor Services and Event Logs on Windows Servers

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.