Remote Log Collection on Windows

Every organization needs to collect logs from multiple sources in order to put them in either a log collector or SIEM (or a dedicated audit trail solution). And there are two options for that – using an agent and agentless. Using an agent is easy – you install a piece of software on each machine that generates logs and it forwards them wherever needed. This is however not preferred by many organizations as it complicates things – upgrading to new versions, keeping track of dozens of configurations, and potentially impacting performance of the target machines. So some organizations prefer to collect logs remotely, or use standard tooling, already present on the target machine. For Linux that’s typically syslog, where forwarding is configured. Logs can also be read remotely via SCP/SSH. However, on Windows things are less straightforward. You need to access the Windows Event Log facility remotely, but there is barely a single place that describes all the required steps. This blogpost comes close, but I’d like to provide the full steps, as there are many, many things that one may miss. It is a best practice to use a non-admin, service account for that and you have to give multiple permissions to allow reading the event logs remotely. There are also multiple ways to read the logs remotely: Through the Event Viewer UI – it’s the simplest to get right, as only one domain group is required for access Through Win32 native API calls (and DCOM) – i.e. EvtOpenSession and the related methods Through PowerShell Get-WinEvent (Get-EventLog is a legacy cmdlet that doesn’t support remoting) Through WMI directly...