logs – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Tue, 06 Aug 2024 08:24:05 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp logs – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 Centralizing Windows Logs ( Forwarded Events ) https://www.sgbox.eu/en/knowledge-base/centralizing-windows-logs/ Wed, 05 Jun 2024 15:44:04 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=24816

Centralizing Windows Logs (Forwarded Events)

You can use the tools in this article to centralize your Windows event logs from multiple servers and desktops. By properly administering your logs, you can track the health of your systems, keep your log files secure, and filter contents to find specific information. It is possible for a Windows server to forward its events to a collector server. In this scenario, the collector server becomes a central repository for Windows logs from other servers (called event sources) in the network. The stream of events from a source to a collector is called a subscription. This procedure demonstrates how to set it up. These steps work on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2019. We are using two Active Directory Domain–joined Windows Server 2012 systems. The domain name is mytestdomain.com and both machines are registered with the domain.


Enable the Windows Remote Management Service

Windows Remote Management (WinRM) is a protocol for exchanging information across systems in your infrastructure. You must enable it on each of your source computers to exchange log files.

  • Remotely log into the source computer (MYTESTSQL) as a local or domain administrator.
  • Enable Windows Remote Management Service from a Command Prompt:
winrm quickconfig

If it is already running, a message similar to this example is displayed.

Centralizing Windows Logs ( Forwarded Events )



Configure the Windows Event Collector Service

You must enable the Windows Event Collector Service on your collector server to allow it to receive logs from your sources.

  • Remotely log into the collector computer (MYTESTSERVER) as a local or domain administrator.
  • Configure the Windows Event Collector Service from a Command Prompt:
wecutil qcin

 If prompted like the example, press y

Centralizing Windows Logs ( Forwarded Events )



Configure the Event Log Readers Group

By default, certain logs are restricted to administrators. This may cause problems when receiving logs from other systems. To avoid this, you can grant access to the collector computer by adding it to the Event Log Readers group.

  • Go back to the source computer (MYTESTSQL).
  • Open Server Manager.
  • Open Computer Management.
  • Expand Local Users and Groups node from the Navigation pane and select Groups.
  • Double-click Event Log Readers.
Centralizing Windows Logs ( Forwarded Events )


  • Click Add to open the Select Users, Computers, Service Accounts, or groups dialog
  • Click Object Types.
  • Check Computers and click OK.
 
Centralizing Windows Logs ( Forwarded Events )
 
  • Enter MYTESTSERVER as the object name and click Check Names. If the computer account is found, it is confirmed with an underline.
  • Click OK twice to close the dialog boxes.
 
Centralizing Windows Logs ( Forwarded Events )



Configure Windows Firewall

If the source computer is running Windows Firewall, ensure it allows Remote Event Log Management and Remote Event Monitor traffic.

Centralizing Windows Logs ( Forwarded Events )



Create a Subscription

Subscriptions define the relationship between a collector and a source. You can configure a collector to receive events from any number of sources (a source-initiated subscription), or specify a limited set of sources (a collector-initiated subscription). In this example, we create a collector-initiated subscription since we know which computer logs we want to receive.

  • Start the Event Viewer application on the collector server MYTESTSERVER.
  • Select Subscriptions from the Navigation pane
  • Click Create Subscription in the Actions pane.

 

Centralizing Windows Logs ( Forwarded Events )
 
  • On the Subscription Properties, enter the following as shown in the example:
    Subscription name: MYTESTSQL_EVENTS
    Description: Events from remote source server MYTESTSQL
    Destination log: Forwarded Events
    Select Collector initiated and click Select Computers to open the Computers dialog.
 
Centralizing Windows Logs ( Forwarded Events )
 
  • Click Add Domain Computers.
  • Enter MYTESTSQL as the object name and click Check Names. If the computer is found, it is confirmed with an underline.
  • Click OK.
 
Centralizing Windows Logs ( Forwarded Events )
 
  • Click OK to return to the Subscription Properties.
  • Click Select Events to open the Query Filter and enter the following to set the remote server to forward all application events from the last 24 hours:
    Logged: Last 24 hours
    Check all Event levels
    Select By log
    Event logs: Select Application from the drop-down list
 
Centralizing Windows Logs ( Forwarded Events )
 
  • Click OK to return to the Subscription Properties.
  • Click Advanced to open the Advanced Subscription Settings and enter the following:
    Select Machine Account
    Select Minimize Latency
    Protocol: HTTP
    Port: 5985
 
Centralizing Windows Logs ( Forwarded Events )
 
  • Click OK to return to the Subscription Properties.
  • Click OK to close.
 

The Subscription node in the collector computer event viewer now shows the new subscription.

Centralizing Windows Logs ( Forwarded Events )

Verify Events on Collector Computer

Select Forwarded Events from the Navigation pane on the collector computer.

Centralizing Windows Logs ( Forwarded Events )

The Computer column in the Details pane indicates the events are from the remote computer MYTESTSQL.MYTESTDOMAIN.COM. You can enable or disable the collector subscription by right-clicking on the subscription and choosing Disable. The status of the subscription is then shown as disabled in the main window. An active collector subscription does not mean it is succeeding. To see if the collector can connect to the source, right-click on the subscription and select Runtime Status. In this example, the collector can’t connect to the source. By default, it retries every five minutes.

Centralizing Windows Logs ( Forwarded Events )


If all is OK, Subscription Runtime Status shows a green tick with an active status.

Centralizing Windows Logs ( Forwarded Events )



Create a Custom View (Optional)

Once the events are forwarded, you can create custom views to see the consolidated events. For example, you might create a custom view for error events. This example creates a custom view for SQL Server–related messages. A collector computer may host thousands of records from dozens of servers. Using a custom view enables you to create order from an overload of information. 

]]>
Export SGBox GPG Key https://www.sgbox.eu/en/knowledge-base/export-sgbox-gpg-key/ Thu, 06 Feb 2020 13:57:55 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=3146

How to export SGBox GPG Key

This articles explain how to export the SGBox private and public keys in order to decipher your logs out of SGBox.

Requirements:

  • SGBox version 4.2.0 or later.
  • Only the default Admin user can export the key.
  • The supervisor password must be set in SCM > Advanced Options, Supervisor Password.
    • Note: In case the previously set password is lost. customers are asked to open a ticket to SGBox support via the ticket platform(https://sgboxportal.sgbox.it) by entering “Password Change for Supervisor” in the subject of the ticket.

From SGBox go to SCM > Applications
Due to SoD restriction, keys are not available by default. You need to send an email to support@www.sgbox.it and asking for unlock it.
Export SGBox GPG Key

Once unlocked a new section Tools appears. Go to SCM > Applications > Tools
Install the application GPG key export and click PLAY button.
Export SGBox GPG Key

Insert the Supervisor password and the keys will be shown.
Take your time to copy and store them in a safe place.
Export SGBox GPG Key

Here couple of examples of how to decrypt logs: Log decryption

]]>