top of page
Blog article

Blog article

YubiOnstaff

[YubiOn WindowsLogon Standalone] Aggegrate Event Viewer Logs to another PC

YubiOn WindowsLogon Standalone is a standalone Windows logon enhancement product that operates on a single PC with the software installed.

The log at the time of logon can also be checked only on that PC. But we received a consultation about whether it is possible to transfer the logs and aggregate them in another location (AD server, etc.) for confirmation.


Since this is a standalone product, it does not have a function to link with other servers. But the logs are output to the Application log of the event viewer of that PC.

Using Windows functions to aggregate the events on another PC makes it possible to check the event log on another server.


イベントログを転送する

So, I will introduce how to aggregate Windows Event Viewer logs to another PC.


Table of Contents
 
Environment

I have tried the following settings:

Transfer can also be performed in the workspace environment, but the steps are slightly increased, so we will set it up in the domain environment this time.


Collector machine (PC for collecting logs)

OS: Windows Server 2022

Active Directory


Source machine (PC sending logs)

OS: Windows 10

Join the domain of the collector machine

YubiOn WindowsLogon Standalone configured


Assume an environment where YubiOn WindowsLogon Standalone is installed on the source machine. Set the event log (Application log) to be checked on the collect machine.


 
Setup steps

Processes on the source machine


Prepare to collect logs


We will use WinRM (Windows Remote Management) service to forward the events, so make it ready.

Log on to the source machine with an administrator account, run PowerShell as an administrator, and execute the following command.

winrm quickconfig

You will be asked to confirm the execution, so enter "y" to execute.

PS C:\Windows\system32> winrm quickconfig
WinRM is not set up to receive requests on this machine.
The following changes must be made:

Start the WinRM service.
Set the WinRM service type to delayed auto start.

Make these changes [y/n]? y

WinRM has been updated to receive requests.

WinRM service type changed successfully.
WinRM service started.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Enable the WinRM firewall exception.
Configue the LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
Make these changes [y/n]? y

WinRM has been updated for remote management.

WinRM firewall exception enabled.
Configed LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

You have successfully set it.

※ If your network is public, you cannot set the firewall. In that case, change to a domain or private network.


Then add the collector machine's account to the Event Log Readers group on the source machine.


Open "Local Users and Groups" in Windows and open "Event Log Readers" in "Groups".

ローカルユーザーとグループ設定

Click "Add".

By default, computer accounts cannot be added, so click "Object Types...", check "Computers" and return by "OK".

オブジェクトの種類

Enter the computer name of the collector machine into the "Enter the object names to select" input field and confirm with "OK".

ホスト名を入力

The computer name of the collector machine has been added to "Members".

Close with "OK".

Event Log Readers設定

※ This time, it is not necessary because it is a domain environment, but when set in a workgroup environment, add an account with administrator privileges.


Next, we move on to processes on the collector machine.


 

Processes on the collector machine


Prepare to collect logs


Log on to the collector machine with an administrator account, run PowerShell as an administrator, and execute the following command.

wecutil quick-config

You will be asked to confirm the execution, so enter "y" to execute.す。

The service startup mode will be changed to Delay-Start. Would ou like to proceed ( Y- yes or N- no)? y

Windows Event Collector service was configured successfully.
 

Set subscription


Define what kind of event logs to transfer using the subscription function.


Launch Event Viewer on the collector machine.

Select "Subscriptions" under "Application and Service Logs".

Click "Create Subscription...".

サブスクリプションの作成

Enter any "Subscription name" and "Description" and click "Select Computers...".


Select from the pulldown to change the destination log.

We will use the default "Forwarded Events" this time.

サブスクリプションのプロパティ

Specify the source machine.

Click "Add Domain Computers..." under "Collector initiated".


Enter the computer name of the target source machine and click "OK".

コンピュータ名を入力

If you want to register multiple PCs, register the PCs one after the other.

And, you can check that you can access the target PC by clicking the "Test" button.


Click "Select Events...".

Here you specify the logs you want to send as events.

YubiOn WindowsLogon Standalone logs are output to the Application log, so specify to transfer all Application logs.

クエリフィルター

Click "Advanced..." to confirm.

Leave the defaults here, select "Machine Account" for "User Account", and select "Normal" for "Event Delivery Optimization".

サブスクリプションの詳細設定

Your subscription has been added.

Make sure the status is active.

サブスクリプション追加

The settings for collecting events are now complete.


 
Confirm the events

Now let's confirm that the event logs are transferred.


First, log on to the source machine using YubiOn WindowsLogon Standalone.

Screen lock the source machine once and log on using the YubiKey.

This printed a log for the "YubiOnWindowsLogonStandalone" source in the Application log.

Here is the log when the logon is successful.

ソースマシン側のイベントビューアー
Event Viewer on the source machine

The logon account name and the PublicID (identification ID) of the YubiKey used are output.


Next, let's check the Event Viewer of the collector machine.

Log on to the collector machine and open "Windows Logs" > "Forwarded Events" in Event Viewer.

コレクトマシン側のイベントビューアー
Event Viewer on the collector machine

YubiOn's successful logon log was transferred to the collector machine.

※ It may take some time (about 15 minutes) to be transferred.

If you have registered multiple PCs, you can identify them by computer name.


 
Summary

By using the log transfer function of Windows, you can transfer the Event Viewer log output by YubiOn WindowsLogon Standalone.


This time, I set it to transfer all Application logs, but I think it would be easier to check the necessary logs by transferring only the necessary logs or using a filter.


Also, this time I introduced the procedure to set the source machines one by one, but if there are many machines and it takes time and effort, it is possible to reduce the time and effort by using the AD group policy.


Please refer to the introduction page for details of the YubiOn WindowsLogon Standalone.


Thank you for reading to the end.

Comments


bottom of page