Remote Event Log management and DCs

[Mike Leone]

I want to write a script that can query all my DCs for event log entries, such as for unsecured LDAP binds (as an example). As far as I can tell, the firewall on the DC would need to be configured to allow Remote Event Log access. (Remote Event Log Management (RPC), if I understand it correctly).

So my question: do you enable this on your DCs? It doesn't seem to be too much of a security risk, I don't think. Do you lock it down to just certain specific remote users? Or just enable it?

And do I need to enable all 3  Remote Event Log Management, or only the RPC?

Thanks

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Michael B. Smith]

I typically enable WinRM and use remote PS for this.

 

How are you planning on doing the query?

 

Thanks.

 

Regards,

Michael B. Smith

Managing Consultant

Smith Consulting, LLC

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjGgXL2AH6rt45wCurw%2B0JQhQjdsYgi6fJgkWE%2BDHuhcQ%40mail.gmail.com.

[Philip Elder]

You could use PowerShell to do this without the need to muck about with firewall ports.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Thursday, September 7, 2023 13:09
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Remote Event Log management and DCs

 

I want to write a script that can query all my DCs for event log entries, such as for unsecured LDAP binds (as an example). As far as I can tell, the firewall on the DC would need to be configured to allow Remote Event Log access. (Remote Event Log Management (RPC), if I understand it correctly).

--

[Kurt Buff]

Windows Event Forwarding to a central log collector?

It's what you need anyway.

Kurt

[Mike Leone]

On Thu, Sep 7, 2023 at 4:28 PM Michael B. Smith <mic...@smithcons.com> wrote:

I typically enable WinRM and use remote PS for this.

Huh. I have a GPO that enables WinRM,  and I thought that was also applying to the DCs. But I just checked, and the DCs are just using the "Default Domain Controllers Policy", and WinRM is not enabled in there.

That would explain a few things ... the GPO enables firewall rules for:

Windows Management Instrumentation (ASync-In)

Windows Management Instrumentation (WMI-In)

Windows Management Instrumentation (DCOM-In)

Windows Management Instrumentation (ASync-In)

Windows Management Instrumentation (WMI-In)

Windows Management Instrumentation (DCOM-In)

Windows Remote Management (HTTP-In)

Windows Remote Management (HTTP-In)

And then enables remote server management through WinRm  and starts the WinRM service.

I should be able to apply that GPO to the DCs without any significant security issues, do you think? But would that allow the Get-WinEvent to query logs remotely? Would I also still need the "Remote Log Management" rules?

How are you planning on doing the query?

$Events = Get-WinEvent -ComputerName $ComputerName -FilterHashtable @{Logname='Directory Service';Id=2889; StartTime=(get-date).AddHours("-$Hours")}

Or I suppose I could do an Invoke-Command ....

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/bf44970e3bac450a95d65df60c53dc47%40smithcons.com.

[Michael B. Smith]

WMI and RPC are considered deprecated. You just need the WinRM rules and use Invoke-Command. It will be faster.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiT1gUw9a%3D9jt-3pk1a0PMUJS6QjyRJWimFraAmdXRuag%40mail.gmail.com.

[Mike Leone]

On Fri, Sep 8, 2023 at 9:01 AM Michael B. Smith <mic...@smithcons.com> wrote:

WMI and RPC are considered deprecated. You just need the WinRM rules and use Invoke-Command. It will be faster.

Really, didn't know that about WMI. OK, I will apply that GPO to the DCs (I dunno if I will take out the WMI rules just yet ...). And then see about re-writing to use the Invoke-Command.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8c0e34208c884e1c80d45f7d566e8cdf%40smithcons.com.

[Mike Leone]

On Thu, Sep 7, 2023 at 6:52 PM Kurt Buff <kurt...@gmail.com> wrote:

Windows Event Forwarding to a central log collector?

It's what you need anyway.

You know, I completely forgot we had set up a central log collector! I'll see about forwarding DC logs to it ....

thanks!

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7Ki%3D0Xkkk68Or_gBzUoyE2%3D_a0YzCwdvHW7ezzqketxg%40mail.gmail.com.