The WEF_ADSecurity or [Windows Event Forwarding for Active Directory Security Logs] is a repository designed to demonstrate setting up Windows Event Log forwarding for Active Directory Domain Controller logs using DSC and Group Policy. All the necessary files, scripts and resources required for setting up a WEF lab are included in this repository. Demo.ps1 is the walk through script for the demo. Use the files within DSC_Configs as the DSC configurations for the lab and the files within LabBuilder to assist with the creation of the lab environment.
- Create Lab Environment with LabBuilder
- Add Collector node to Event Log Readers Active Directory group
- Configure Log Access Group Policy
- Enable Auditing on Domain Controllers via Group Policy
- Restart Domain Controllers to apply new Group Policies
- Deploy xWindowsEventForwarding DSC Configuration to Collector node
- Review Event Log Subscription
- Prep New Domain Controller
- Promote New Domain Controller with DSC
- Update Event Log Subscription
Steps 2-7 are covered in this Blog Post
- Use LabBuilder_KickStart.ps1 to create the Lab Environment. [LabBuilder\LabBuilder_KickStart.ps1]
- Use Demo.ps1 to walk through the demo.
- PowerShell Version 5
- Hyper-V
- DSCResources: LabBuilder,xWindowsEventForwarding,xActiveDirectory (All found in DSCResources folder)
- ISOFiles: WindowsServer 2016 TP5
Event Log Forwarding
the-security-log-haystack-event-forwarding-and-you
configure-event-log-forwarding-windows-server-2012-r2
ultimate-guide-centralizing-windows-logs
wecutil documentation