If you are looking to setup WEC or Windows Event Collection (WEC) or Windows Event Fowarding (WEF) then this covers that setup which will enable acentralized collection of event logs from multiple Windows computers. This guide covers both HTTP (basic) and HTTPS (secure) implementations using the collector-initiated (pull) method which is recommended.
Prerequisites
- Windows Server (for WEC server)
- Domain-joined computers
- Administrative access
- Network connectivity between collector and source computers
- Certificate Authority (for HTTPS implementation)
Protocol Options
HTTP (Recommended for Domain Environments)
- - Uses port 5985
- - Secured by Kerberos authentication
- - Lower overhead
- - Simpler configuration
HTTPS (For High-Security Requirements)
- - Uses port 5986
- - Requires certificate infrastructure
- - Additional security layer
- - Higher overhead
WEC Server Setup
This will only need to be completed on the WEC server, the Source servers are later in this guide, this needs to be completed in the correct order as well!
We first need to enable Windows Remote Management
winrm quickconfig
Next, we need to configure and start Windows Event Collector service
so config wecsvc start=auto
net start wecsvc
We now need to add your windows event collection (WEC) server to Event Log Readers group:
Add-ADGroupMember -Identity "Event Log Readers" -Members "<wecserver>"
HTTP Listener Configuration
Then finally we need to configure the WinRM HTTP listener
winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="5985"}
Optional Certificate Configuration for HTTPS
Note : If you are not following HTTPS you can pick this guide up at the configuring firewall section.
If you have opted for HTTPS binding, there was quite a bit of overhead to create the certificates and remember these certificates need to be updated. This will not work with an expired certificate, however, if you choose this route, let’s get on to create the CSR Certificate Request
This will require you to create an “inf” File that will contain all the attributes and extensions required for the certificate to work, the bits in bold will need to be updated for your environment:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=WECServer.bear.local"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=WECServer.bear.local&"
_continue_ = "dns=WECSERVER&"
You then need to save this file as WinRMCert.inf then we need to generate and process Certificate request, this will give you a CSR file:
Generate and process CSR
certreq -new WinRMCert.inf WinRMCert.req
Submit CSR to certificate authority
We now need to submit that CSR to an Enterprise CA
certreq -submit -config "crtmgr1.bear.local\Honeypot" WinRMCert.req WinRMCert.cer
Install certificate
certreq -accept WinRMCert.cer
Configure HTTPS Listener
First, we need to get the thumbprint of the newly created certificate for the following command:
$Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*WECServer*"}).Thumbprint
Create HTTPS listener
We now need to configure WinRM with that certificate
New-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Transport="HTTPS"; Address="*"} -ValueSet @{Hostname="YourWECServer.yourdomain.com"; CertificateThumbprint=$Thumbprint}
Configure Firewall
We now need to allow the firewall to permit traffic using this port on an inbound rule using the following command from Powershell:
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP
Create Subscription
Now we need to create the subscription, This brings us back to the graphical user interface and will require the event viewer:
- Open Event Viewer
- Right-click "Subscriptions" → "Create Subscription"
- Configure:
Name your subscription (here I have used "wecmanager")
Select "Collector Initiated"
Add source computers
Choose events to collect
Optimization Settings (Recommended)
Bandwidth optimization
Optimizing bandwidth is key to minimize network load and it’s general good housekeeping to try to optimize the amount of data sent between the servers, especially if they logged lots of data, we will need to go back to the shell to run these commands:
wecutil ss "wecmanager" /cm:custom /mt:5000 /hi:900
Performance settings
Just as important as optimizing network bandwidth, it’s also logical to do exactly the same with the WinRM service and that can be accomplished with the following commands
winrm set winrm/config @{MaxEnvelopeSizekb="2048"}
winrm set winrm/config @{MaxConcurrentOperationsPerUser="4096"
Source Computer Configuration
The commands above have been focusing on the WEC server, we also need to ensure we run the commands below on any targeted server, which will also be referred to as the source computer (This is where the events will be pulled from)
winrm quickconfig
Enable-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)
Optional : For HTTPS Configuration
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "WECServer.bear.local"
Test Port Connectivity
Please use the correct check for your requirements!
HTTP : Test-NetConnection -ComputerName <source_computer> -Port 5985
HTTPS: Test-NetConnection -ComputerName <source_computer> -Port 5986
Troubleshooting 🔫
Get-Service WinRM
Get-NetConnectionProfile
Get-NetFirewallRule -DisplayName "Windows Remote Management*" | Select DisplayName, Enabled, Profile
Certificate Troubleshooting 😈
Verify certificate chain
certutil -verify YourWECServer.cer
Check certificate permissions
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*YourWECServer*"}
$keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)"
$acl = Get-Acl $keyPath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\NETWORK SERVICE","Read","Allow")
$acl.AddAccessRule($rule)
Set-Acl -Path $keyPath -AclObject $acl
Maintenance and Monitoring
wecutil gs “WEC manager”
Get-Counter '\Windows Event Collector Service\Events Processed