Configuring Machines for Log Explorer

Components Involved for configuring Machines for Log Explorer:

1. Domain Controllers

• Manages Group Policy Objects (GPOs) for all domain-joined devices.

2. Log Collector Machines

• Responsible for receiving and storing forwarded logs from endpoints.

• Fluent Bit is installed here for log processing and forwarding.

3. Endpoints

• Windows machines that generate and forward logs.

System Requirements

• All devices must run Windows and support WEF (Windows Server 2019+ recommended).

• All endpoints must be reachable over the network via WSMAN (port 5985).

• Firewall rules must allow communication on port 5985 (Kerberos recommended).

• Administrator rights are required to configure WEF.

• Define which event types need to be forwarded in advance.

• Recommended specs for collectors:

  • CPU: 4 cores+

  • RAM: 16 GB+

  • High I/O SSD storage

  • Gigabit network interface

• Each collector supports ~2000–4000 endpoints, with 5–7 subscriptions per endpoint.

Configuring Windows Endpoints via Active Directory

A. Setup Collector (Using UI)

1. Open Event Viewer and create a new subscription. Accept prompt to start WE

2. Configure the subscription:

   • Select computer groups or individual computers

   • Choose event types to collect

3. Set the "Forwarded Events" log size to >1 GB

4. (Optional) Enable log archiving

B. Setup GPO for Endpoints

1. Add NT AUTHORITY\Network Service to the security group.

2. Set WinRM to start automatically:

   • Navigate to:
     Computer Configuration > Policies > Windows Settings > Security Settings > System Services

   • Set Windows Remote Management (WS-Management) to "Automatic"

3. Configure Event Forwarding policies:

   • Navigate to:
     Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding

   • Set:

     • Configure forwarder resource usage: Enabled

     • Max forwarding rate: 500
       

     • Configure target subscription manager: Enabled

     • Server=http://<FQDN of collector>:5985/wsman/SubscriptionManager/WEC,Refresh=120

       
       

4. Configure log access permissions:

   • Navigate to:
     Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service > Security

   • Set:

     • Configure Log Access: Enabled

     • Value: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

Validation
After GPO deployment, clients should start forwarding logs.
To verify:
Open Event Viewer > Subscriptions on the collector and confirm log reception.

Download the latest fluent-bit version: https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bit

For ease of deployment, use the Ceburu Installer, which automates Fluent Bit setup and configuration.