Consolidating windows domains dating site for the blind
You will likely be prompted to start an auto-configure the Windows Collector service. Right-click on Subscriptions and select “Create Subscription”.For the Subscription Name enter “Security Log Cleared”. Select the radio button for “Source computer initiated” and select “Select Computer Groups…”.WEF has been around for quite some time, but many people do not realize that log consolidation capability is built into Windows and does not use an agent on the endpoint.There were a few really good guides that already exist (mentioned in the references links), but they did not get me completely over the hump to getting WEF completely functional.This will also result in a Service Principal Name being registered for Kerberos authentication.If you are using an existing server and it has an HTTP SPN already registered WEF will not work unless you remove the existing one.To enable the Windows Remote Management to start on boot, in the Group Policy Management Editor select Computer Configuration Service. Allow Local Network Service to Access Local Event Logs via GPO The local system that will be forwarding the logs to the central WEF server will need to have the Network Service account granted access to read event logs.
The forwarded event traffic can be encrypted and use HTTPS if desired.
If you’re using a new system, you probably will not have to worry about it.
If during setup you are having issues and need to check SPN registration, you can do so with: Create a Test Subscription on Collector server Create a domain security group for the endpoints that you wish to monitor and place the target systems in the group.
Alternatively, you could just use “Domain Computers” if you are in a testing environment.
Otherwise, using all computers in your environment to initially set up may not be the best idea.