W
Working Chump
At this point I'm at a loss and have gone through documentation for Windows Event Forwarding. Simply what I am trying to do is stand up an environment where I can forward all events from the source (Windows 10 desktop) to a Windows Event Collector (Windows Server 2012 R2).
Simple enough or so it sounds. I was able to get events forwarded over HTTP with and reflect them within the WEC however the Windows Security events did not show up simply because the Network Service account is within NTAUTHORITY and this is hidden. There is a specific script that allows the NT AUTHORITY to allow collection of events. After I performed that I was able to get a solid week of events within the WEC.
The next step was to see if I can replicate this with HTTPS. I have stumbled upon mounds of documents that have would have appeared helpful but have had little impact to this effort.
What I have done:
1) Made sure the GPO is set correctly- Computer Configuration/Policies/Administrative Templates/Windows Components/Event Forwarding/Configure target Subscription Manager
SubscriptionManagers: Server=https://weccollector.my.world:5986/...,Refresh=600,IssuerCA=01ab02cd03ef04gh05ij06
2) Ensure the event subscription reflects correctly for HTTPS
3) Check to see if the cert chain is in the correct locations. The certs are coming directly from a CA
4) Performed the quickconfig -transport:https command as Administrator
This is where I first ran into my troubles of trying to get HTTPS to work. Check out this error:
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
Wait. Certificate? What? I have the entire certificate chain loaded with the thumbprint pointed correctly in the GPO and the certificate specified in the Event Subscription. Im confused.
5) Force WinRM to listen to HTTPS (How to force WinRM to listen interfaces over HTTPS):
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="weccollector.my.world";CertificateThumbprint="01ab02cd03ef04gh05ij06"}
WSManFault
Message
ProviderFault
WSManFault
Message = The WS-Management service cannot find the certificate that was requested.
Error number: -2144108414 0x80338082
The WS-Management service cannot find the certificate that was requested.
So this is where Im at. Just stuck and not able to get any more progress on this. Has anyone run into this before? One interesting thing though is that I ran winrm enumerate winrm/config/listener on the WEC and was able to get some interesting out put. This seems to indicate that both HTTP and HTTPS ports are listening. However, when I go down and see the Certificate Thumbprint this points to the machine/server cert and not the one specified during the Event Subscription.
Does anyone have any input on this? Ive been trying to dig through what I can and just not able to get more on this. If you have any insight on this I would greatly appreciate it.
Continue reading...
Simple enough or so it sounds. I was able to get events forwarded over HTTP with and reflect them within the WEC however the Windows Security events did not show up simply because the Network Service account is within NTAUTHORITY and this is hidden. There is a specific script that allows the NT AUTHORITY to allow collection of events. After I performed that I was able to get a solid week of events within the WEC.
The next step was to see if I can replicate this with HTTPS. I have stumbled upon mounds of documents that have would have appeared helpful but have had little impact to this effort.
What I have done:
1) Made sure the GPO is set correctly- Computer Configuration/Policies/Administrative Templates/Windows Components/Event Forwarding/Configure target Subscription Manager
SubscriptionManagers: Server=https://weccollector.my.world:5986/...,Refresh=600,IssuerCA=01ab02cd03ef04gh05ij06
2) Ensure the event subscription reflects correctly for HTTPS
3) Check to see if the cert chain is in the correct locations. The certs are coming directly from a CA
4) Performed the quickconfig -transport:https command as Administrator
This is where I first ran into my troubles of trying to get HTTPS to work. Check out this error:
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
Wait. Certificate? What? I have the entire certificate chain loaded with the thumbprint pointed correctly in the GPO and the certificate specified in the Event Subscription. Im confused.
5) Force WinRM to listen to HTTPS (How to force WinRM to listen interfaces over HTTPS):
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="weccollector.my.world";CertificateThumbprint="01ab02cd03ef04gh05ij06"}
WSManFault
Message
ProviderFault
WSManFault
Message = The WS-Management service cannot find the certificate that was requested.
Error number: -2144108414 0x80338082
The WS-Management service cannot find the certificate that was requested.
So this is where Im at. Just stuck and not able to get any more progress on this. Has anyone run into this before? One interesting thing though is that I ran winrm enumerate winrm/config/listener on the WEC and was able to get some interesting out put. This seems to indicate that both HTTP and HTTPS ports are listening. However, when I go down and see the Certificate Thumbprint this points to the machine/server cert and not the one specified during the Event Subscription.
Does anyone have any input on this? Ive been trying to dig through what I can and just not able to get more on this. If you have any insight on this I would greatly appreciate it.
Continue reading...