Creating Custom Windows Event Forwarding Logs
You may have noticed recently that *we* Microsoft security people have kind of fallen in love with Windows Event Forwarding (WEF). Why? Its built into Windows itself, easily configurable and can collect a very large amount of course or finely filtered events (including existing events) from any domain joined machine with less then 30 minutes of effort.
When demonstrating WEF to customers, one of the most common questions I receive is "I don't want everything in Forwarded Events, can I create separate logs for my subscriptions?" The answer is yes, but it takes a little bit of effort. Once complete, you can create as many custom "buckets" for your forwarded events as you like. Let's start.
Firstly, a large amount of credit goes to Ted Hardy for providing the majority of the process for this. I'm really just playing technical writer here.
Before we start, you will need a few things.
- If you don't have it already laying around, grab a copy of the Windows SDK for your OS. Why? We need to compile a .dll. I'm not a programmer and I don't understand what resource and link files are, but thankfully you don't really need to.
- Right-click to download the template "manifest" file from this blog post and rename it to .man from .txt.
- A machine to configure all of this on. I used a throw away virtual machine with Windows Server 2012 R2 and the Windows 8.1 SDK from above to perform these steps.
Create our Custom Event DLL and Manifest
Go ahead and install your Windows SDK to your machine. I only applied the core SDK itself to the default install location.
Now open the Manifest Generator which you will find at "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\ecmangen.exe"
Open the starter template manifest file from above. The screen should look something like this
The channels you see here are really the goal. Any channels you create here are will show up in Event Viewer and also be available for selection in our event collector subscriptions.
Modify the Name and Symbols to your hearts content. You can add a maximum of 8 channels per provider.
If you want, feel free to also change the "WEC" at the root of the events section to something else.
Save the .man file to somewhere on your drive. For the next few steps, I used the path "C:\ECMan" on my machine
Now execute the following commands to build our .dll
cd\ECMan "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\mc.exe" C:\ECMan\CustomEventChannels.man "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\mc.exe" -css CustomEventChannels.DummyEvent C:\ECMan\CustomEventChannels.man "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\rc.exe" C:\ECMan\CustomEventChannels.rc "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /win32res:C:\ECMan\CustomEventChannels.res /unsafe /target:library /out:C:\ECMan\CustomEventChannels.dll C:\ECMan\CustomEventChannels.cs
The output of the folder post processing should now look like the following
Take a copy of the highlighted .man and .dll files and place them in your "C:\Windows\System32" folder on your Windows Event Collector server.
We don't need this machine any more (unless you want to create more)
Load It Up
Open an elevated command prompt, and execute the following
wevtutil im c:\Windows\system32\CustomEventChannels.man
If everything goes well, there should be zero console feedback. Now open Event Viewer (re-launch if it's already open) and you should now have your new custom folders ready to select in your WEC subscriptions (the pic below was taken after the subscription was configured and the log receiving events)
The last thing before we start using them in anger, is to actually give the logs some configuration. The following commands will do the job easily for us. Below is an example for moving the WEC-Domain-Controllers custom log to E:\Logs and configuration a maximum size of 1GB. You can also right-click the log and configure the standard properties that way too.
wevtutil sl WEC-Domain-Controllers /lfn:E:\Logs\WEC-Domain-Controllers.evtx wevtutil sl WEC-Domain-Controllers /ms:1073741824
The last piece of the puzzle is simply telling our event subscriptions to dump the events there instead of our old friend Forwarded Events.
And there we have it, custom event logs for you to use with your Windows Event Forwarding solution. There is nothing to stop from your creating more event channels using the starter template, you will however have to update the provider properties with a new Name, GUID and updated paths for .dll files to ensure they are unique.
Happy Event Forwarding :)