search

EvotecIT / PSWinReporting

This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events.
MIT License
701 stars 69 forks source link

DCs still being scanned even when using forwarding server #51

Closed jfacowns closed 5 years ago

jfacowns commented 5 years ago

I've gone through the effort to set up Event Forwarding and have verified that it's working. I have a ton of events coming in, all is well there.

However, when I set the script to use forwarding by adjusting the $false variable to $true, I'm noticing that my DCs are still being scanned and thus the script is still taking a good amount of time to run. 

 Servers           = @{
            UseForwarders   = $true # if $true skips Automatic/OnlyPDC/DC for reading logs. However it uses Automatic to deliver size of logs so keep Automatic to $true
            ForwardServer   = $ENV:COMPUTERNAME
            ForwardEventLog = 'ForwardedEvents'

            UseDirectScan   = $true
            Automatic       = $true
            OnlyPDC         = $false
            DC              = ''
        }

Any ideas what might be happening here?

I apologize if this is the wrong way to report this, this is my first time using GitHub.

Thanks very much

PrzemyslawKlys commented 5 years ago

Sure, just set UseDirectScan to $false. The way it works it allows you to scan forwarders, DC and file resources at the same time. You don't need that, because it only makes sense if you would like to create one big report or export everything to SQL. 

 Servers           = @{
            UseForwarders   = $true # if $true skips Automatic/OnlyPDC/DC for reading logs. However it uses Automatic to deliver size of logs so keep Automatic to $true
            ForwardServer   = $ENV:COMPUTERNAME
            ForwardEventLog = 'ForwardedEvents'

            UseDirectScan   = $false
            Automatic       = $true
            OnlyPDC         = $false
            DC              = ''
        }
PrzemyslawKlys commented 5 years ago

Btw, did you use the script to setup forwarding that I've provided with PSWinReporting? Or did it by hand? The script is basically 1 run and fix :) It only requires manual permissions to access DC logs.

jfacowns commented 5 years ago

I did the forwarding part by hand, mostly because I wanted to teach myself how to set that up.

Also, your suggestion worked, the run time for 1 hours worth of logs has gone from 45-50 minutes down to about 50 seconds when gathering the logs locally from my event collector server.

Thank you so much for this, it's truly a fantastic resource and idea. I've learned a ton from it also. Much appreciated!