Sending Logs to Microsoft Sentinel Using Windows Log Forwarding

I am not a fan of agents on machines. Agents take up resources, time and need to be updated. The Microsoft AMA or OMS agents are lightweight and easy to install, but both take time to deploy and valuable resources to maintain.

Microsoft for a long time has had the ability to allow windows  servers and workstation events logs to be sent to a central log collection server. Microsoft calls it Windows Event Collection or (WEC) server.

WEC is fairly easy to setup. You configure group policy to have machines register to a WEC server. You can then create subscriptions on the type of events you would like to forward. This article from Microsoft "Use Windows Event Forwarding to help with Intrusion Detection" is a great guide on how to setup WEC.

If you manage numerous servers and workstation, one of the items that is difficult to keep track of is applications crashing. Using Windows Event Forwarding and this query from my Github site, you can collect the events.

If you have implemented Windows ASR rules, you should first place them into audit mode to gage the impact on your environment. The issue with audit mode, is you need to dig into the event logs to discover what is getting blocked and if you need to create and exception. It also works great if you are implementing a new software package and you would like to see if ASR rules are getting in the way. You use this WEC Rule to collect the ASR events.

I wrote a powershell script that sends a daily email report for crashing software and ASR rule audits and blocks. It is a very simple and effective way to ensure that ASR rules are not impacting your end users and you don't have software that is not behaving. We have discovered misconfigured software or software negatively impacted by a windows patch using this method.

With Microsoft Sentinel, if you wanted to collect events, you needed to install an agent on all machines to collect Windows Events. With the introduction of the agent for WEC servers, this is not necessary. You can create a group policy that automatically registers servers or workstations to the WEC Server, you have the subscriptions setup to collect the events you would like and it automatically goes to Microsoft Sentinel. The reason a special agent is needed is all events go to a Windows Event Forwarding log, which the standard agent does not understand and has issues parsing.

I would document the steps on configuring WEC and Microsoft Sentinel, but Microsoft has already done an excellent job in this blog post.

I install agents on Domain Controllers and servers that are not part of an Active Directory Domain. Domain controllers have events that I would like to collect are different from the standard server. I could create rules on the WEC server to collect these events, but that is extra load on that server and I feel it is just better to collect the events using the native AMA agent.

If you are looking for a guide of events to collect on servers and workstations, I suggest following the Mitre Attack Matrix, it has a great list of events that you should be collecting. This is another create guide to help create the data collection rules on a WEC serve

Final Thoughts

If you are looking for an easy automated way to ensure that you are sending logs to the Microsoft Sentinel SIEM, this is a very good way to accomplish that goal. As I advance in my career, I like to work smarter, not harder and I like to automate as much as I can to take out the human error and boring low level work.

Happy Hunting and Hopefully this saves you some time and provides better visibility and security for your Windows Assets.

TBJ Consulting

TBJ Consulting