Share via

WinRM log forwarding in Windows 2012 R2 Server

Parichay Saxena 20 Reputation points
2023-05-07T12:16:10.21+00:00

I have various servers in Active Directory with different Roles like SCCM server, Database Server, MS Lync, MS Exchange 2013 and MS SharePoint Server.

For their Security logs auditing, we have RSA Netwitness Platform.

In them some of the services are configured via the WinRM method for taking logs from event viewers like Application, Security, System.

But still we are not able to monitoring different Roles which is described in above me by WinRM

wevtutil sl Application /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)

wevtutil sl Security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)

wevtutil sl System /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)

Please suggest any practice, so I am able to monitor SCCM, SQL, MS Lync, MS Exchange 2013 and MS Sharepoint Server all logs by WinRM

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,617 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,642 questions
Accepted answer
  1. Konstantinos Passadis 19,376 Reputation points MVP
    2023-05-07T12:54:12.3866667+00:00

    Hello @Parichay Saxena !

    To monitor the logs of different roles like SCCM server, Database Server, MS Lync, MS Exchange 2013, and MS SharePoint Server using WinRM, you need to follow the below steps:

    Ensure that WinRM is configured and enabled on all servers.

Verify that the necessary firewall ports (TCP 5985 and TCP 5986) are open to allow incoming connections.

Ensure that the user account used for WinRM authentication has the necessary permissions to access the logs. For example, if you want to access the Security log, the user account needs to be a member of the local Administrators group or have the "Manage auditing and security log" user right.

Use the following command to configure the security descriptor for the log you want to access:

    wevtutil sl <LogName> /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)

    For example:

    wevtutil sl Security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)

    This command grants the local Network Service account read access to the log.

    Once the security descriptor is configured, you can use the following command to retrieve the log data:

    wevtutil qe <LogName> /rd:true /f:text /q:"<Query>"

    For example:

    wevtutil qe Security /rd:true /f:text /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing']]]"

    This command retrieves all events from the Security log that are generated by the Microsoft-Windows-Security-Auditing provider.

    Repeat this process for each log you want to access on each server hosting the different roles.

    The answer or portions of it may have been assisted by AI Source: ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.