D
Daniel Mercourios
Hi,
We have set up a windows event collector according to this article
We have had it running a couple of years now.
Lately we have noticed that two of our domain controllers are falling a couple of hours behind with their event forwarding to the event collector. It is working, the events are coming in but they are always 2-3 hours behind. We can see fresh events on the DC, just seconds old, but on the event collector the newest events are 2-3 hours old. The other domain controllers are working just fine, the events are coming in right on the second.
This is the config of the subscription.
Subscription Id: DC Audit
SubscriptionType: SourceInitiated
Description:
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: Custom
DeliveryMode: Push
DeliveryMaxItems: 1
DeliveryMaxLatencyTime: 15
HeartbeatInterval: 900
Query: <QueryList><Query Id="0" Path="System"><Select Path="System">*</Select></Query><Query Id="2" Path="Security"><Select Path="Security">*</Select></Query></QueryList>
ReadExistingEvents: true
TransportName: HTTP
ContentFormat: Events
Locale: sv-SE
LogFile: WEC-DomainControllers
PublisherName:
AllowedIssuerCAList:
AllowedSubjectList:
DeniedSubjectList:
AllowedSourceDomainComputers: O:NSG:BAD
(A;;GA;;;DD)S:
In powershell ConvertFrom-SddlString gives me this:
ConvertFrom-SddlString -Sddl "O:NSG:BAD(A;;GA;;;DD)S:"
Owner : NT AUTHORITY\NETWORK SERVICE
Group : BUILTIN\Administrators
DiscretionaryAcl : {SCB\Domain Controllers: AccessAllowed (GenericAll)}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
We have gone through typical troubleshooting guides when event forwarding aren't working at all. Like firewall ports, winrm qc etc. But in this case it is working but falling behind.
Any thoughts on this?
Continue reading...
We have set up a windows event collector according to this article
Use Windows Event Forwarding to help with intrusion detection
Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
docs.microsoft.com
We have had it running a couple of years now.
Lately we have noticed that two of our domain controllers are falling a couple of hours behind with their event forwarding to the event collector. It is working, the events are coming in but they are always 2-3 hours behind. We can see fresh events on the DC, just seconds old, but on the event collector the newest events are 2-3 hours old. The other domain controllers are working just fine, the events are coming in right on the second.
This is the config of the subscription.
Subscription Id: DC Audit
SubscriptionType: SourceInitiated
Description:
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: Custom
DeliveryMode: Push
DeliveryMaxItems: 1
DeliveryMaxLatencyTime: 15
HeartbeatInterval: 900
Query: <QueryList><Query Id="0" Path="System"><Select Path="System">*</Select></Query><Query Id="2" Path="Security"><Select Path="Security">*</Select></Query></QueryList>
ReadExistingEvents: true
TransportName: HTTP
ContentFormat: Events
Locale: sv-SE
LogFile: WEC-DomainControllers
PublisherName:
AllowedIssuerCAList:
AllowedSubjectList:
DeniedSubjectList:
AllowedSourceDomainComputers: O:NSG:BAD
(A;;GA;;;DD)S:In powershell ConvertFrom-SddlString gives me this:
ConvertFrom-SddlString -Sddl "O:NSG:BAD
(A;;GA;;;DD)S:"Owner : NT AUTHORITY\NETWORK SERVICE
Group : BUILTIN\Administrators
DiscretionaryAcl : {SCB\Domain Controllers: AccessAllowed (GenericAll)}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
We have gone through typical troubleshooting guides when event forwarding aren't working at all. Like firewall ports, winrm qc etc. But in this case it is working but falling behind.
Any thoughts on this?
Continue reading...