windows event logs not forwarded

clong / DetectionLab

Automate the creation of a lab environment complete with security tooling and logging best practices

MIT License

4.65k stars 989 forks source link

windows event logs not forwarded #245

Closed kpm4 closed 5 years ago

kpm4 commented 5 years ago

Operating System Version: win10, win server 2016
Provider (VirtualBox/VMWare): virtualbox
Vagrant Version:
Packer Version:
Are you using stock boxes (downloaded) or were they built from scratch using Packer? I am using the stock boxes.
Is the issue reproducible or intermittent? It is reproducible.

Description of the issue:

during the DC, wef and win10 provisioning the windows event logs are sent to Splunk on 'main' index. After the provisioning and when I try to use the lab those events are not forwarded to Splunk (wineventlog index is emtpy) and also to WEF, all WEC folders have no events and also on win10 and DC the folder "Forwarded events" are empty. The only events that are present on splunk are the sysmon from DC, WEF and win10.

Is it expected and I should enable it on WEF? Or those logs should be forwarded with splunk agent?

thanks!

clong commented 5 years ago

Hey @kpm4,

It's really odd that the Sysmon index would be populated and that the wineventlog index wouldn't. Windows event logs are collected on the WEF host and then sent via Splunk. I have a few thoughts around why/how this might happen:

The Windows Event Collector service on WEF is off
WinRM communication between hosts isn't working for some reason
The GPOs for WEF weren't correctly applied on the DOmain Controller

kpm4 commented 5 years ago

hi!

found the issues: the WEC service was not running on WEF server and OU was not configured (then the configure-wef-gpo failed). I run them manually and now everything is working.

I think that there is an issue in the provisioning, when I provision wef and win10 the script to join the domain fails, so I have to add-computer manually. Still don't found the root cause of this.

thanks!

clong commented 5 years ago

Hey @kpm4 - there was an issue for this but I closed it awhile back for some reason. I've definitely seen hosts hang while attempting to join the domain recently so I've re-opened it: https://github.com/clong/DetectionLab/issues/21

Unfortunately I don't really know why this happens, but a vagrant reload <hostname> --provision usually works to resolve the issue

jsecurity101 commented 5 years ago

Hi @clong and @kpm4 upon further investigation, I noticed that the DC is not propagating logs inside of Splunk. This was tested by running a DCSync. There were no 4662 event codes inside of Splunk, but the 4662 event codes were found locally on the DC. WEC was not started on the DC or Win10. After starting this service on both boxes, then restarting Splunk, I get the same issue. If either of you have any ideas or want me to test anything, I would be more then happy to help!

clong commented 5 years ago

Closing this issue since it has since been fixed