Dela via


Creating Custom Windows Event Forwarding Logs

You may have noticed recently that *we* Microsoft security people have kind of fallen in love with Windows Event Forwarding (WEF). Why? Its built into Windows itself, easily configurable and can collect a very large amount of course or finely filtered events (including existing events) from any domain joined machine with less then 30 minutes of effort.

When demonstrating WEF to customers, one of the most common questions I receive is "I don't want everything in Forwarded Events, can I create separate logs for my subscriptions?" The answer is yes, but it takes a little bit of effort. Once complete, you can create as many custom "buckets" for your forwarded events as you like. Let's start.

Firstly, a large amount of credit goes to Ted Hardy for providing the majority of the process for this. I'm really just playing technical writer here.

Before we start, you will need a few things.

  • If you don't have it already laying around, grab a copy of the Windows SDK for your OS. Why? We need to compile a .dll. I'm not a programmer and I don't understand what resource and link files are, but thankfully you don't really need to.
  • Right-click to download the template "manifest" file from this blog post and rename it to .man from .txt.
  • A machine to configure all of this on. I used a throw away virtual machine with Windows Server 2012 R2 and the Windows 8.1 SDK from above to perform these steps.

Create our Custom Event DLL and Manifest

  1. Go ahead and install your Windows SDK to your machine. I only applied the core SDK itself to the default install location.

  2. Now open the Manifest Generator which you will find at "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\ecmangen.exe"

  3. Open the starter template manifest file from above. The screen should look something like thisECManGen

  4. The channels you see here are really the goal. Any channels you create here are will show up in Event Viewer and also be available for selection in our event collector subscriptions.

  5. Modify the Name and Symbols to your hearts content. You can add a maximum of 8 channels per provider.

  6. If you want, feel free to also change the "WEC" at the root of the events section to something else.

  7. Save the .man file to somewhere on your drive. For the next few steps, I used the path "C:\ECMan" on my machine

  8. Now execute the following commands to build our .dll

     cd\ECMan
    "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\mc.exe" C:\ECMan\CustomEventChannels.man
    "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\mc.exe" -css CustomEventChannels.DummyEvent C:\ECMan\CustomEventChannels.man
    "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\rc.exe" C:\ECMan\CustomEventChannels.rc
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /win32res:C:\ECMan\CustomEventChannels.res /unsafe /target:library /out:C:\ECMan\CustomEventChannels.dll C:\ECMan\CustomEventChannels.cs
    
  9. The output of the folder post processing  should now look like the followingECManGenFileOutput

  10. Take a copy of the highlighted .man and .dll files and place them in your "C:\Windows\System32" folder on your Windows Event Collector server.

  11. We don't need this machine any more (unless you want to create more)

Load It Up

  1. Open an elevated command prompt, and execute the following

     wevtutil im c:\Windows\system32\CustomEventChannels.man
    
  2.  If everything goes well, there should be zero console feedback. Now open Event Viewer (re-launch if it's already open) and you should now have your new custom folders ready to select in your WEC subscriptions (the pic below was taken after the subscription was configured and the log receiving events)CustomLogs

  3. The last thing before we start using them in anger, is to actually give the logs some configuration. The following commands will do the job easily for us. Below is an example for moving the WEC-Domain-Controllers custom log to E:\Logs and configuration a maximum size of 1GB. You can also right-click the log and configure the standard properties that way too.

     wevtutil sl WEC-Domain-Controllers /lfn:E:\Logs\WEC-Domain-Controllers.evtx
    wevtutil sl WEC-Domain-Controllers /ms:1073741824
    
  4. The last piece of the puzzle is simply telling our event subscriptions to dump the events there instead of our old friend Forwarded Events.

Subscription

And there we have it, custom event logs for you to use with your Windows Event Forwarding solution. There is nothing to stop from your creating more event channels using the starter template, you will however have to update the provider properties with a new Name, GUID and updated paths for .dll files to ensure they are unique.

Happy Event Forwarding :)
Russ

Comments

  • Anonymous
    May 18, 2016
    excellent thanks
  • Anonymous
    June 20, 2016
    Great article. thank you! I was able to setup the custom event log channels as described, but i'm unable to write custom XML queries against them or forward them with NXlog. I also don't see the event log channels with get-eventlog from powershell. Any ideas how to resolve the issue?
    • Anonymous
      June 20, 2016
      I figured it out. there was an issue with my XML query. thanks!
  • Anonymous
    August 10, 2016
    Russell, thanks for this article it is really going to help with deploying WEF. I need to try this out and determine if the logs can be located on different drives so the IOPS is not an issue
  • Anonymous
    December 12, 2016
    Russ, I have had this in mind (and my eye on your article) for some time, thanks!Worked a treat!I compiled on Windows 10 x64 and deployed to Server 2012 Event Collector.A few questions, if you are still monitoring and have time.You give credit to Ted Hardy. Does Ted have a blog that could be referenced?2) I am a bit confused by your closing remarks:"And there we have it, custom event logs for you to use with your Windows Event Forwarding solution. There is nothing to stop from your creating more event channels using the starter template, you will however have to update the provider properties with a new Name, GUID and updated paths for .dll files to ensure they are unique."The downloaded .man template does have a GUID: {CF27F07F-7013-483A-BC74-97A0F6AA32FC} - How do we go about creating a new one? GUID generation seems to be somewhat automatic if "new" is selected when creating a new Provider and then select [new] GUID. Is this really safe?
  • Anonymous
    April 24, 2017
    Hi, I hope this discussion still open and Thanks for sharing the article...I followed the process and everything work fine except when I want to change the names and symbols. The process does not reflect the new names? if there an extra step to be performed..Thanks for your help
    • Anonymous
      April 25, 2017
      Can you elaborate what you mean by "Process"? The symbols don't get exposed anywheree in the UI but if you want to change the names, after recompiling the .dll, you would need to unload and load the manifest using wevtutil um" and "wevtutil im".If you want to try a new method for creating custom event channels, check out Project Sauron at https://github.com/russelltomkins/project-sauron
  • Anonymous
    October 09, 2017
    Thanks!
  • Anonymous
    October 25, 2017
    The comment has been removed
    • Anonymous
      October 25, 2017
      Most definitely. Using a custom event channel simply changes the destination .evtx file on your collector. The rest of the configurations remains as per the standard guidance.