WEF_ADSecuirtyLogs

Introduction

The WEF_ADSecurity or [Windows Event Forwarding for Active Directory Security Logs] is a repository designed to demonstrate setting up Windows Event Log forwarding for Active Directory Domain Controller logs using DSC and Group Policy. All the necessary files, scripts and resources required for setting up a WEF lab are included in this repository. Demo.ps1 is the walk through script for the demo. Use the files within DSC_Configs as the DSC configurations for the lab and the files within LabBuilder to assist with the creation of the lab environment.

Demo Overview

1. Create Lab Environment with LabBuilder
2. Add Collector node to Event Log Readers Active Directory group
3. Configure Log Access Group Policy
4. Enable Auditing on Domain Controllers via Group Policy
5. Restart Domain Controllers to apply new Group Policies
6. Deploy xWindowsEventForwarding DSC Configuration to Collector node
7. Review Event Log Subscription
8. Prep New Domain Controller
9. Promote New Domain Controller with DSC
10. Update Event Log Subscription

Steps 2-7 are covered in this Blog Post

How to Use

1. Use LabBuilder_KickStart.ps1 to create the Lab Environment. [LabBuilder\LabBuilder_KickStart.ps1]
2. Use Demo.ps1 to walk through the demo.

Requirements

1. PowerShell Version 5
2. Hyper-V
3. DSCResources: LabBuilder,xWindowsEventForwarding,xActiveDirectory (All found in DSCResources folder)
4. ISOFiles: WindowsServer 2016 TP5

Sources

Event Log Forwarding

the-security-log-haystack-event-forwarding-and-you

configure-event-log-forwarding-windows-server-2012-r2

ultimate-guide-centralizing-windows-logs

xWindowsEventForwarding

wecutil documentation

msdn.microsoft.com

technet.microsoft.com