Comments (3)
Hello,
it would seem I am encountering the same issue. However, the IPv6 filter was actually enabled. As there is not v6 routed at my client's in general, I have thus turned the filter off, however also to no avail.
Anyone else out there with the same problem?
from windows-event-forwarding.
Hello Guys,
we have the same problem we disabled the IPV6 Protocol and enabled it again but we still have the same Issue.
The ::1 is by us present when we disable IPV6, also when we have it enabled.
I see the computer needs a windows update maybe it will solve the Problem after this update.
Windows Upadetes are in now.
Still same issue
from windows-event-forwarding.
We solved it with this Articel:
the importent thing was in our case:
Step 3: Perform the following steps on the ATA Gateway (the normal Windows Server as WEF)
Open an elevated command prompt and type wecutil qc
Here is the hole Documentation
https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection
Configuring Windows Event Forwarding
Article
12/26/2021
2 minutes to read
14 contributors
Applies to: Advanced Threat Analytics version 1.9
Note
For ATA versions 1.8 and higher, event collection configuration is no longer necessary for ATA Lightweight Gateways. The ATA Lightweight Gateway now read events locally, without the need to configure event forwarding.
To enhance detection capabilities, ATA needs the following Windows events: 4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045. These can either be read automatically by the ATA Lightweight Gateway or in case the ATA Lightweight Gateway is not deployed, it can be forwarded to the ATA Gateway in one of two ways, by configuring the ATA Gateway to listen for SIEM events or by configuring Windows Event Forwarding.
Note
If you are using Server Core, wecutil can be used to create and manage subscriptions to events that are forwarded from remote computers.
WEF configuration for ATA Gateway's with port mirroring
After configuring port mirroring from the domain controllers to the ATA Gateway, use the following instructions to configure Windows Event forwarding using Source Initiated configuration. This is one way to configure Windows Event forwarding.
Step 1: Add the network service account to the domain Event Log Readers Group.
In this scenario, assume that the ATA Gateway is a member of the domain.
Open Active Directory Users and Computers, navigate to the BuiltIn folder and double-click Event Log Readers.
Select Members.
If Network Service is not listed, click Add, type Network Service in the Enter the object names to select field. Then click Check Names and click OK twice.
After adding the Network Service to the Event Log Readers group, reboot the domain controllers for the change to take effect.
Step 2: Create a policy on the domain controllers to set the Configure target Subscription Manager setting.
Note
You can create a group policy for these settings and apply the group policy to each domain controller monitored by the ATA Gateway. The steps below modify the local policy of the domain controller.
Run the following command on each domain controller: winrm quickconfig
From a command prompt type gpedit.msc.
Expand Computer Configuration > Administrative Templates > Windows Components > Event Forwarding
Local policy group editor image.
Double-click Configure target Subscription Manager.
Select Enabled.
Under Options, click Show.
Under SubscriptionManagers, enter the following value and click OK: Server=http://:5985/wsman/SubscriptionManager/WEC,Refresh=10
(For example: Server=http://atagateway9.contoso.com:5985/wsman/SubscriptionManager/WEC,Refresh=10)
Configure target subscription image.
Click OK.
From an elevated command prompt type gpupdate /force.
Step 3: Perform the following steps on the ATA Gateway
Open an elevated command prompt and type wecutil qc
Open Event Viewer.
Right-click Subscriptions and select Create Subscription.
Enter a name and description for the subscription.
For Destination Log, confirm that Forwarded Events is selected. For ATA to read the events, the destination log must be Forwarded Events.
Select Source computer initiated and click Select Computers Groups.
Click Add Domain Computer.
Enter the name of the domain controller in the Enter the object name to select field. Then click Check Names and click OK.
Event Viewer image.
Click OK.
Click Select Events.
Click By log and select Security.
In the Includes/Excludes Event ID field type the event number and click OK. For example, type 4776, like in the following sample.
Query filter image.
Right-click the created subscription and select Runtime Status to see if there are any issues with the status.
After a few minutes, check to see that the events you set to be forwarded is showing up in the Forwarded Events on the ATA Gateway.
For more information, see: Configure the computers to forward and collect events
from windows-event-forwarding.
Related Issues (20)
- Don't hide Microsoft signed entries in AutorunsToWinEventLog HOT 1
- Wrapping of Image_Path and Hashes HOT 5
- Recommended WEC Server Hardware Specifications HOT 4
- DUMMY_EVENT & DUMMY_TEMPLATE in custom channels HOT 2
- character encoding problems with some files HOT 2
- Server 2016 collector woe HOT 1
- wecutil ss error x057 HOT 4
- Authentication suppression rule may be a little aggressive for some HOT 1
- Are all servers/ workstations supposed to subscribe to all subscriptions? HOT 3
- wecsvc stops working after a while HOT 26
- EventID 4648 not included
- Collector Server HOT 3
- Push for performance improvement HOT 1
- Event Providers and Channels - DB Audit Events
- Software-Restriction-Policies.xml incorrect syntax HOT 2
- Download of Autorunsc64.exe Incorrectly Uses HTTPS HOT 3
- Add WEF subscription for TPM-WMI HOT 2
- Add WEF Subscriptions for Exploit Guard ASR HOT 1
- Add WEF Subscriptions for Exploit Guard HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from windows-event-forwarding.