The main idea of this project is to help companies that don’t want to expend a lot of money on Centralization of Logs solutions. Most of this can be accomplished using default tools in Windows.
A newer version of this project is avaible at: https://github.com/ClaudioMerola/HFServerEventsV2
The newer version is powered by Windows Server + Elasticsearch, Kibana and WinLogBeat. All opensource and free.
This is the v1 of this project and I’m just using Windows Server and SQL Server.
The final result will be the Web Reports created in the Reporting Services:
- Configure and enable WinRM and Event Collector Service
- Create the Event Forward Subscription
- Configure all the Domain Controllers to forward the events to this server
- Increase the maximum size of the Forwarded Events to 1 GB*
- Create a local group named: "HF Event Report Viewer"
- Create the SQL Server database and tables
- Configure the SQL Server's Full Text Search
- Configure a Scheduled Task to Synchronize the Forwarded Events with the SQL Server Database (hourly)
- Configure the Reporting Services
- Create and import the Reporting Services Reports
- Configure the Reporting Services Permissions (to give permissions to more users just add them to the Windows "HF Event Report Viewer" local group)
- *Forwarded Events is set to 1 GB because that’s the acceptable size to be managed easily by Powershell. That will be about 250.000 events. A greater size can become too heavy to Powershell deals with in less than 15 minutes (that’s the timeout set in the DB sync script)
- Add a registry key in all your Domain Controllers (to configure the Centralized Event Server)
- Configure WinRM in all your Domain Controllers (this is a default pre-requisite to Event Forwarders to work)
- Configure Event Forward Service in all your Domain Controllers
- Add the account "NETWORK SERVICE" the Domain Group "Log Event Readers"
Obs: The Events forwaded are configured based on the Microsoft's Best Practices Events to monitor
The script must be run with the following requirements:
Requirements | Description |
---|---|
Windows Server | tested in Windows Server 2012 and Windows Server 2019 |
SQL Server | SQL Server 2014 was the only version tested |
Domain Account | must have rights to connect remotelly and create registry keys on the Domain Controllers |
TCP 5985 | Default Event Forwarder Port |
There is not many configuration required by the SQL Server installation besides the ones listed bellow
- Database Engine Services
- Full-Text and Semantic Extractions for Search
- Reporting Services - Native
- Management Tools - Complete
Just use the default "Install and configure"
During the installation, just add the account running the setup as SQL Server Administrator:
If everything runs correctly, the following should have been configured automatically in the local server:
A local group named "HF Event Report Viewer" must now exist:
The folder C:\EvtHF and C:\EvtHF\Reports were created and the following files should be there:
The forwarding Subscriptions were created:
The Scheduled Task "HFEventServer\HFEventServer-DCEssentials" were created:
And you can browse http://HOSTNAME_OF_YOUR_SERVER/Reports and the folder "HF Event Reports" will be there with the 2 default reports:
To give permissions to more users access the reports, just add them to the local group "HF Event Report Viewer":
in some environments is necessary to open Internet Explorer elevated (Run as Administrator), to correct see the folder and reports.