Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

windows event logs not forwarded #245

Closed
kpm4 opened this issue Apr 7, 2019 · 5 comments
Closed

windows event logs not forwarded #245

kpm4 opened this issue Apr 7, 2019 · 5 comments
Labels
bug

Comments

@kpm4
Copy link

kpm4 commented Apr 7, 2019

  • Operating System Version:
    win10, win server 2016

  • Provider (VirtualBox/VMWare):
    virtualbox

  • Vagrant Version:

  • Packer Version:

  • Are you using stock boxes (downloaded) or were they built from scratch using Packer?
    I am using the stock boxes.

  • Is the issue reproducible or intermittent?
    It is reproducible.

Description of the issue:

during the DC, wef and win10 provisioning the windows event logs are sent to Splunk on 'main' index.
After the provisioning and when I try to use the lab those events are not forwarded to Splunk (wineventlog index is emtpy) and also to WEF, all WEC folders have no events and also on win10 and DC the folder "Forwarded events" are empty.
The only events that are present on splunk are the sysmon from DC, WEF and win10.

Is it expected and I should enable it on WEF? Or those logs should be forwarded with splunk agent?

thanks!
@clong
Copy link
Owner

clong commented Apr 10, 2019

Hey @kpm4,

It's really odd that the Sysmon index would be populated and that the wineventlog index wouldn't. Windows event logs are collected on the WEF host and then sent via Splunk. I have a few thoughts around why/how this might happen:

  1. The Windows Event Collector service on WEF is off
  2. WinRM communication between hosts isn't working for some reason
  3. The GPOs for WEF weren't correctly applied on the DOmain Controller

@clong clong added the bug label Apr 10, 2019
@kpm4
Copy link
Author

kpm4 commented Apr 10, 2019

hi!

found the issues:
the WEC service was not running on WEF server and OU was not configured (then the configure-wef-gpo failed). I run them manually and now everything is working.

I think that there is an issue in the provisioning, when I provision wef and win10 the script to join the domain fails, so I have to add-computer manually. Still don't found the root cause of this.

thanks!

@clong
Copy link
Owner

clong commented Apr 11, 2019

Hey @kpm4 - there was an issue for this but I closed it awhile back for some reason. I've definitely seen hosts hang while attempting to join the domain recently so I've re-opened it: #21

Unfortunately I don't really know why this happens, but a vagrant reload <hostname> --provision usually works to resolve the issue

@jsecurity101
Copy link
Contributor

jsecurity101 commented Apr 13, 2019
edited
Loading

Hi @clong and @kpm4 upon further investigation, I noticed that the DC is not propagating logs inside of Splunk. This was tested by running a DCSync. There were no 4662 event codes inside of Splunk, but the 4662 event codes were found locally on the DC. WEC was not started on the DC or Win10. After starting this service on both boxes, then restarting Splunk, I get the same issue. If either of you have any ideas or want me to test anything, I would be more then happy to help!

@clong
Copy link
Owner

clong commented Apr 29, 2019

Closing this issue since it has since been fixed

@clong clong closed this as completed Apr 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clong @jsecurity101 @kpm4