Use the instructions in this topic to configure a system for remote access by a Remote Windows Event Log Source. For information on collecting local Windows Event Logs, see Configure a Local Windows Event Log Source.
There are two primary configuration requirements to enable remote event log collection:
- The user account specified in the source must have permissions to read the event log remotely
- The firewall on the remote machine must be configured to allow inbound connections for reading the event log
When configuring the Source, you will enter a domain name, user name, and password. This user account will be used by the Collector to perform the remote collection of event log records. The credentials are stored in Sumo's database encrypted and in the Collector's memory. The account must be configured such that it has permissions to read the event log from each of the specified remote systems.
An account has permissions to read events remotely if it is either a local Administrator or a member of the Event Log Readers local group on the target system. As a security best practice, it is recommended that a non-administrator account is used.
- Open the Computer Management app (compmgmt.msc)
- Navigate to Local Users and Groups, and select Groups.
3. Double-click on the Event Log Readers group, and add the account as a new member.
A user can be added to the Event Log Readers local group using the following command line:
net localgroup "Event Log Readers" <domain\username> /add
To allow for remote systems to read the Windows event log, a set of inbound firewall exceptions must be enabled.
- Open the Windows Firewall with Advanced Security app (wf.msc).
- On the left panel, select Inbound Rules
- Scroll down to the set of rules named Remote Event Log Management
- Enable all of the Remote Event Log Management rules, to permit inbound traffic
For each of these firewall rules, you can do fine-grained scoping to allow traffic only from domain systems, only from particular accounts, only from certain IP ranges, and so forth. Appropriate settings will depend on your organization's IT infrastructure and security policies.
You can configure firewall rules from the command line with the netsh command
rem Enables all rules in the Remote Event Log Management group, for all network profiles netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes
netsh also supports fine-grained firewall configuration. For details on these parameters, see the netsh advfirewall documentation.
Automatically configuring remote systems
The Sumo Logic collector comes with a PowerShell script that can be used to verify or apply the above configuration automatically on list of remote systems. The script is located in the collection installation directory, at .\powershell\events\sumo-remote-collector-config.ps1. A detailed usage page can be seen by running the command Get-Help .\sumo-remote-collector-config.ps1 -Full from the script's directory.
The script accepts the following parameters:
- -EventCollectionCredential A credential matching the one specified when setting up the Remote Windows Event Log source. This is the account used by the Sumo Logic collector to read events from remote systems.
- -AdminCredential A credential used by the script to log on to remote systems and check or modify firewall and local group configuration.
- -ComputerName A list of remote systems to check or update.
- -File Path to a text file containing a list of remote systems to check or update, one per line.
- -DoConfig If this flag is specified, the script will actively configure the Event Log Readers group and firewall on the remote systems. By default the script will only check configuration, making no changes.
# set script parameters PS> $adminCred = Get-Credential PS> $eventCred = Get-Credential PS> $systems = server01.democorp.com, server02.democorp.com # check configuration PS> .\sumo-remote-collector-config.ps1 -ComputerName $systems -EventCollectionCredential $eventCred -AdminCredential $adminCred server01.democorp.com User has read access to event logs? YES Firewall exceptions enabled for Remote Event Log Management? Remote Event Log Management (RPC): Domain,Private,Public=Yes Remote Event Log Management (NP-In): Domain,Private,Public=Yes Remote Event Log Management (RPC-EPMAP): Domain,Private,Public=Yes Can get a test event as user 'democorp\calvin'? YES server02.democorp.com User has read access to event logs? NO Firewall exceptions enabled for Remote Event Log Management? Remote Event Log Management (RPC): Domain,Private,Public=Yes Remote Event Log Management (NP-In): Domain,Private,Public=Yes Remote Event Log Management (RPC-EPMAP): Domain,Private,Public=Yes Can get a test event as user 'democorp\calvin'? NO sumo-remote-collector-config.ps1 : Failed to open event query. Access is denied. At line:1 char:1 + .\sumo-remote-collector-config.ps1 -ComputerName ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,sumo-remote-collector-config.ps1 # update configuration PS> .\sumo-remote-collector-config.ps1 -ComputerName server02.democorp.com -EventCollectionCredential $eventCred -AdminCredential $adminCred -DoCOnfig server02.democorp.com Giving user read access to event logs OK Enabling firewall exceptions for event log management OK Can get a test event as user 'democorp\calvin'? YES