Skip to main content
Sumo Logic

Preconfigure a Machine to Collect Remote Windows Events

 

Use the instructions in this topic to configure a system for remote access by a Remote Windows Event Log Source. For information on collecting local Windows Event Logs, see Configure a Local Windows Event Log Source.

There are two primary configuration requirements to enable remote event log collection:

  1. The user account specified in the source must have permissions to read the event log remotely
  2. The firewall on the remote machine must be configured to allow inbound connections for reading the event log

User account 

When configuring the source, you will enter a domain name, user name, and password.  This user account will be used by the Sumo Logic collector to perform the remote collection of event log records. The account must be configured such that it has permissions to read the event log from each of the specified remote systems.

remotewin_sourceuser.PNG

An account has permissions to read events remotely if it is either a local Administrator, or a member of the Event Log Readers local group on the target system.  As a security best practice, it is recommended that a non-administrator account is used.

UI 

  1. Open the Computer Management app (compmgmt.msc)
  2. Navigate to Local Users and Groups, and select Groups.

remotewin_localgroups.png

3. Double-click on the Event Log Readers group, and add the account as a new member.

remotewin_logreaders.png

Command line 

A user can be added to the Event Log Readers local group using the following command line:

net localgroup "Event Log Readers" <domain\username> /add

Firewall configuration 

To allow for remote systems to read the Windows event log, a set of inbound firewall exceptions must be enabled.

UI 

  1. Open the Windows Firewall with Advanced Security app (wf.msc).
  2. On the left panel, select Inbound Rules
  3. Scroll down to the set of rules named Remote Event Log Management
    • Enable all of the Remote Event Log Management rules, to permit inbound traffic

remotewin_firewall.png

remotewin_firewallrule.png

For each of these firewall rules, you can do fine-grained scoping to allow traffic only from domain systems, only from particular accounts, only from certain IP ranges, and so forth. Appropriate settings will depend on your organization's IT infrastructure and security policies.

remotewin_firewalladvanced.png

Command Line 

You can configure firewall rules from the command line with the netsh command

rem Enables all rules in the Remote Event Log Management group, for all network profiles
netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

netsh also supports fine-grained firewall configuration. For details on these parameters, see the netsh advfirewall documentation.

Automatically configuring remote systems 

The Sumo Logic collector comes with a PowerShell script that can be used to verify or apply the above configuration automatically on list of remote systems. The script is located in the collection installation directory, at .\powershell\events\sumo-remote-collector-config.ps1. A detailed usage page can be seen by running the command Get-Help .\sumo-remote-collector-config.ps1 -Full from the script's directory.

The script accepts the following parameters:

  • -EventCollectionCredential A credential matching the one specified when setting up the Remote Windows Event Log source. This is the account used by the Sumo Logic collector to read events from remote systems.
  • -AdminCredential A credential used by the script to log on to remote systems and check or modify firewall and local group configuration.
  • -ComputerName A list of remote systems to check or update.
  • -File Path to a text file containing a list of remote systems to check or update, one per line.
  • -DoConfig If this flag is specified, the script will actively configure the Event Log Readers group and firewall on the remote systems. By default the script will only check configuration, making no changes.

Example:

# set script parameters
PS> $adminCred = Get-Credential
PS> $eventCred = Get-Credential
PS> $systems = server01.democorp.com, server02.democorp.com

# check configuration
PS> .\sumo-remote-collector-config.ps1 -ComputerName $systems -EventCollectionCredential $eventCred -AdminCredential $adminCred

server01.democorp.com
    User has read access to event logs? YES
    Firewall exceptions enabled for Remote Event Log Management?
      Remote Event Log Management (RPC): Domain,Private,Public=Yes
      Remote Event Log Management (NP-In): Domain,Private,Public=Yes
      Remote Event Log Management (RPC-EPMAP): Domain,Private,Public=Yes
    Can get a test event as user 'democorp\calvin'? YES
server02.democorp.com
    User has read access to event logs? NO
    Firewall exceptions enabled for Remote Event Log Management?
      Remote Event Log Management (RPC): Domain,Private,Public=Yes
      Remote Event Log Management (NP-In): Domain,Private,Public=Yes
      Remote Event Log Management (RPC-EPMAP): Domain,Private,Public=Yes
    Can get a test event as user 'democorp\calvin'? NO
sumo-remote-collector-config.ps1 : Failed to open event query. Access is denied.
At line:1 char:1
+ .\sumo-remote-collector-config.ps1 -ComputerName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,sumo-remote-collector-config.ps1
    
# update configuration
PS> .\sumo-remote-collector-config.ps1 -ComputerName server02.democorp.com -EventCollectionCredential $eventCred -AdminCredential $adminCred -DoCOnfig

server02.democorp.com
    Giving user read access to event logs OK
    Enabling firewall exceptions for event log management OK
    Can get a test event as user 'democorp\calvin'? YES