Consolidating windows domains
To enable the Windows Remote Management to start on boot, in the Group Policy Management Editor select Computer Configuration Service. Allow Local Network Service to Access Local Event Logs via GPO The local system that will be forwarding the logs to the central WEF server will need to have the Network Service account granted access to read event logs.In the startup field, select Automatic (Delayed Start) and select the service name as Win RM – also listed as Windows Remote Management (WS-Management). There is a built-in Windows group that comes in handy for this called “Event Log Readers”.Better to start smaller and work outwards than stumble out of the gate.Once you work out what the target systems are, on the collector server open Event Viewer and select the Subscriptions.Windows now can natively log the full command line of a process that executes, but Sysmon provides additional data that can be very useful. By default, Sysmon logging will create a fair amount of log noise.This is why a configuration file should be used at install time to filter events at the endpoint that are known to be good or alert on specifically known bad.This will also result in a Service Principal Name being registered for Kerberos authentication.
The size of the system will be determined by your environment, but we will not be sending every event, so a modest server can be used and then sized up if requirements change.Open the Group Policy Management panel and select your domain right-click and select Create a GPO in this domain, and Link it here…Type in a name, such as Windows Event Forwarding and select OK.If you’re using a new system, you probably will not have to worry about it.If during setup you are having issues and need to check SPN registration, you can do so with: Create a Test Subscription on Collector server Create a domain security group for the endpoints that you wish to monitor and place the target systems in the group.