WS Management Event Collector - Pulling in forwarded events from other Windows Machines

book

Article ID: 157603

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You would like more information on how to ensure you are Collecting events that you have forwarded to a Windows Machine.

Resolution

In order to collect events that have been forwared to another Windows Machine, you will want to ensure we are collecting from the specific log channel.
 
The Collector sensor configuration setting to gather those logs from other Windows machines will depend on where you have those logs going to.
 
On the machine that receives the events from the other Windows machines, go into the Event Viewer and find a log entry from the other machine (or check the Log Properties, under the Subscriptions tab, to see what all logs are contained in that log channel), and then ensure we are pulling that event log channel into the SSIM.
 
More about log channels:
To collect logs, we choose which log channel we will be pulling from. By default, we list the common Windows Event Log channels (Application, System, Security, etc.) in the SSIM Collector Sensor configuration.
 
To pull from other channels, we add the channel name to the list in the SSIM Collector Sensor configuration. For example, the default channel of forwardedevents can be added by adding in "forwardedevents" (without the quotes) to the SSIM Collector Sensor configuration.
 
Keeping in mind that log channels each have there own permissions associated with them, you will want to ensure that you have granted access for the channel you want to pull from.
 
Examples:
To get the current settings for the log channel who's name is security, you can run the following command from an adminstrative command prompt.
wevtutil gl security
 
To get the current settings for the log channel who's name is forwarededevents, you can run the following command from an adminstrative command prompt.
wevtutil gl forwardedevents