Have you ever wonder to forward windows event logs to a Splunk instance without need of mass deploying universal forwarder on every single host? This might be a solution for you! What we’re gonna do is centralize all the logs first with Windows Event Collector, then forward them with just a universal forwarder which will also be installed on the same server. So, let’s get started.

Prerequisite:

  1. Windows Event Forwarding Server
    • Windows Server 2012 and above (or Windows 10, extra configuration is required)
    • 16GB of RAM or more for 2000 clients
    • CPU with 4 or more core for 2000 clients
    • Log size for each client is about 700MB per day with advanced audit configured (log ingested to Splunk won’t be so big)
    • SSD is recommended

  2. Client(s)
    • Windows 7 and above (lower versions are not tested)
    • Windows Server 2012 and above (lower versions are not tested)

Step 1: Setup Source Initiated Subscription for Windows Event Forwarding

  1. Configure GPO
    • Allow network access to Security Events on all clients

      Computer Configuration –> Administrative Templates –> Windows Components –> Event Log Service –> Security –> Configure Log Access –> Enabled –> O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)

    • Enable WinRM on both WEF server and clients (ensure WinRM is set up in best practice)

      Computer Configuration –> Administrative Templates –> Windows Components –> Windows Remote Management (WinRM) –> WinRM Service –> Enabled

    • Enable event forwarding subscription for all clients

      Computer Configuration –> Administrative Templates –> Windows Components –> Event Forwarding –> Configure Target Subscription Manager –> Enabled –> Server=http://:5985/wsman/SubscriptionManager/WEC,Refresh=60

  2. Create a Windows Event Forwarding Subscription

    Event Viewer –> Subscriptions –> Create Subscription –> Source initiated –> (Your Preferences) –> Apply –> OK

    My preferences:

    Application,
    Security,
    Setup,
    System,
    Microsoft-Windows-AppLocker/EXE and DLL,
    Microsoft-Windows-AppLocker/MSI and Script,
    Microsoft-Windows-AppLocker/Packaged app-Deployment,
    Microsoft-Windows-AppLocker/Packaged app-Execution,
    Microsoft-Windows-PowerShell/Admin,
    Microsoft-Windows-PowerShell/Operational,
    Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin,
    Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational,
    Microsoft-Windows-SMBClient/Security,
    Microsoft-Windows-TaskScheduler/Maintenance,
    Microsoft-Windows-TerminalServices-LocalSessionManager/Admin,
    Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,
    Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin,
    Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational,
    Microsoft-Windows-Windows Remote Management/Operational,
    Microsoft-Windows-WMI-Activity/Operational,
    Windows PowerShell
    19-21,576-578,1102,4104,4624,4625,4648,4672,4688,4697-4699,4700-4702,4722,4738,4740,4768,4769,4776-4779,5140,5145

Step 2: Configure Splunk Indexer Prepare to Receive Logs from Windows Event Forwarding Server

  1. Log on to your Splunk Indexer
  2. Configure listen port on 9997(can be any unused port)

    Settings –> Forwarding and receiving –> Configure receiving –> New Receiving Port –> 9997

  3. The port now should be enabled

Step 3: Install Splunk Universal Forwarder on Windows Event Forwarding Server

  1. Get to your Windows Event Forwarding Server
  2. Download and install Splunk Universal Forwarder here
  3. During installation, either Local System, Domain Account, or Virtual Account will work, it requires local administrator rights to access those logs
  4. You need at least select all the Windows Event Logs types for it to works
  5. In my environment, I don’t use Deployment Server so I’ll just configure Receiving Indexer port as 9997 that we set on previous step
  6. Once the installation is completed, Splunk Universal Forwarder will start forwarding the event logs to your indexer automatically

Final Step: Check Your Splunk Data Ingestion

  1. Return to your Splunk Indexer
  2. Use the Search & Reporting app to ensure your Windows Event Logs are being ingested

Further Reading…

Filtering Unimportant/Unnecessary Windows Events from Splunk