Fix WEC subscriptions from DC ^^^^~(12)

[danjoneslf]

Currently we are only getting logs into Splunk from the WEC instance We're not getting any events from the DC

• [x] WEC subscriptions are marked active ( wecutil gr security )
• [x] GPO points to correct WEC hostname
• [x] WinRM port is reachable from DC ( Test-NetConnection WSWEC01.cdio-windows-sandbox-staging.com -port 5985 )
• [x] Generate an error on the DC (failed)
• [x] Reapply GPOs to DC ( gpupdate /force ) (failed)
• [x] Force restart on DC ( Restart-Computer -Force ) (failed)
• [x] Remove unprintable characters ( Opened with hexfiend and removed all instances of [\x01\xBD\xEF\xBF] ) (failed)
• [x] Are there definitely events matching the subscriptions? (Yes) Tested by generating an error eventcreate /t error /id 100 /l application /d "Custom event in application log"
• [ ] Check for error detail in winlogon.log (doesn't exist)
• [x] Try dcgpofix /ignoreschema (failed)
• [x] Replace GPRESULT /H GPReport.html with GPRESULT /x GPReport.xml (produces output but with no errors)
• [ ] gpresult /r says it's applied

  Applied Group Policy Objects
  -----------------------------
      Windows Event Forwarding
      Default Domain Controllers Policy
      Default Domain Policy

• [x] Windows file encoding for splunk config files (newlines) (failed)
• [x] Change value of evt_dns_name in inputs.conf to the domain (failed)
• [x] Set trusted client ( winrm set winrm/config/client '@{TrustedHosts="WSWEC01"}' ) (failed)
• [x] Test winrm connection from DC to WEC ( Invoke-Command -ComputerName WSWEC01.$env:DOMAIN -ScriptBlock {1} ) (passed)
• [x] Add domain user to event log reader group ( Add-ADGroupMember -Identity "Event Log Readers" -Members wecserver ) (failed)
• [x] And obviously turning it off and on again (x1000) (failed)
• [ ] Show SSDL string netsh http show urlacl
• [x] It's not this: https://docs.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector (failed) (we don't get the 105 errors in the logs)
• [ ] Enable RPC ( New-NetFirewallRule -DisplayName "Allow TCP RPC local subnet" -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort 135,137,139 -RemoteAddress LocalSubnet) (failed)
• [ ] Is it working?

[danjoneslf]

https://www.itprotoday.com/strategy/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and

[danjoneslf]

I've found an error applying the GPO.

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,cn={017B1AD8-98EF-4D63-B4E3-62E8242D5B10},cn=policies,cn=system,DC=cdio-windows-sandbox-staging,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Unfortunately the GPRESULT /H GPReport.html fails saying the parameters are invalid and the help for GPRESULT uses exactly those params as its example!

[danjoneslf]

The GPO backups are full of non-printable null characters. I might try removing those. I guess the next plan is to try to create and backup a GPO manually.

[danjoneslf]

Notes for Monday:

Check if there's anything I've not tried on here: http://tutorial.programming4.us/windows_7/forwarding-events-(part-2)---how-to-troubleshoot-event-forwarding---how-to-configure-event-forwarding-in-workgroup-environments.aspx

[alice-carr]

To note:

• On WEC EC2, wecutil gr 'DNS Client' shows that subscription is active and has not errored
• On DC EC2 wevtutil get-log security shows that it is enabled, and does contain the SID for Event Log Viewers, so no issues there
• • Verified that the forwarding computer has the Windows Remote Management listener properly configured.

[danjoneslf]

Plan is to pause this and pick it up later. We can still get the pipeline working validating that events are arriving from the WEC in the first instance and then iterate to improve it maybe when Ollie's back or maybe with some help from Krish. I've already tapped up Mo for how they setup the one in Defence. It's slightly different because they didn't do it in code and are using Windows Server 2019 - We're using Windows Server 2016 to match the current Official IT Platform.

[danjoneslf]

Time booked with Ollie to debug this on Friday afternoon