1. Document Library
  2. Integration Guides
  3. Microsoft Windows Security Event Log

Windows Event, Remote Poll Troubleshooting

This guide is intended to assist the Windows administrators while configuring the account for collecting windows logs remotely.

The Service Account must be part of local “Event Log Reader” group. A GPO is configured to get this setting pushed to all the servers in the Domain.

To test if permission is in place for each server, below steps can be carried out from Wincollect server:

  • Connect remotely from Event viewer using service account.
  • Check Network connectivity.
  • Verify account permissions.
  • Verify Audit level on the server.

1.    Connect remotely from Event Viewer.

From Wincollect connect to remote computer using Event Viewer:

  • In the Event Viewer console, right-click Event Viewer (Computername), where computername is the name of the computer you are connected to.
  • Select Connect to Another Computer.

  • Type the computer name of the other computer, e.g. DC1, and check the box Connect as another user: <none>.

  • Now you can provide the credentials for a user that has access to the remote computer, e.g. CONTOSO\Administrator.

  • You will be able to see the logs on remote computer after this step, or will see an error if you see error follow below steps.

2.    Check Network Connection

Check if below ports are open from Wincollect to the remote computer:

ID#

From-Win Collector

To-  Windows Server

Port

Protocol

Description

Service Required For

1

Wincollect

Windows Server

135

TCP

DCOM

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

2

Wincollect

Windows Server

137

UDP

Windows NetBIOS
name service

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

3

Wincollect

Windows Server

138

UDP

Windows NetBIOS
datagram service

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

4

Wincollect

Windows Server

139

TCP

Windows NetBIOS
session service

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

5

Wincollect

Windows Server

445

TCP

Microsoft Directory
Service

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

6

Wincollect

Windows Server

49152-65535

TCP

Default dynamic port range for TCP/IP

Default dynamic port range for TCP/IP

If any of these ports are not open then network team shall see if firewall is blocking it and allow.

3.    Check Account Permissions

Required permissions

The log source user must be a member of the  local “Event Log Readers” group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators' group can also be used depending on how Microsoft Group Policy Objects are configured.

Windows XP and 2003 operating system users require read access to the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows\CurrentVersion

Check Local Firewall

If all the ports are open check local firewall on remote computer, if the firewall is on check if below rules are allowed:

COM+ Network Access (DCOM-In)

Remote Event Log Management (NP-In)

Remote Event Log Management (RPC)

Remote Event Log Management (RPC-EPMAP)

Windows Management Instrumentation (ASync-In)

Windows Management Instrumentation (DCOM-In)

Windows Management Instrumentation (WMI-In)

4.    Check Auditing

After following all the steps above try connecting to remote computer using event viewer from Wincollect again.

If you are able to connect using Event viewer, and do not see real time events, that will mean the auditing is not setup as per recommendations by Microsoft on that server.

If everything is fine please check auditing on the server by using below command:

auditpol /get /category:*

Verify if auditing is enabled as per strong recommendations by Microsoft as per below link:

 

Ref: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Please note that if windows server is not setup as per minimum recommendations (For hardware, RAM and CPU) from Microsoft these can impact the performance.

5.    References

IBM Guide:

Microsoft Docs