YubiOn WindowsLogon Standalone is a standalone Windows logon enhancement product that operates on a single PC with the software installed.
The log at the time of logon can also be checked only on that PC. But we received a consultation about whether it is possible to transfer the logs and aggregate them in another location (AD server, etc.) for confirmation.
Since this is a standalone product, it does not have a function to link with other servers. But the logs are output to the Application log of the event viewer of that PC.
Using Windows functions to aggregate the events on another PC makes it possible to check the event log on another server.
So, I will introduce how to aggregate Windows Event Viewer logs to another PC.
Table of Contents
Environment
I have tried the following settings:
Transfer can also be performed in the workspace environment, but the steps are slightly increased, so we will set it up in the domain environment this time.
Collector machine (PC for collecting logs)
OS: Windows Server 2022
Active Directory
Source machine (PC sending logs)
OS: Windows 10
Join the domain of the collector machine
YubiOn WindowsLogon Standalone configured
Assume an environment where YubiOn WindowsLogon Standalone is installed on the source machine. Set the event log (Application log) to be checked on the collect machine.
Setup steps
■ Processes on the source machine
・Prepare to collect logs
We will use WinRM (Windows Remote Management) service to forward the events, so make it ready.
Log on to the source machine with an administrator account, run PowerShell as an administrator, and execute the following command.
winrm quickconfig
You will be asked to confirm the execution, so enter "y" to execute.
PS C:\Windows\system32> winrm quickconfig
WinRM is not set up to receive requests on this machine.
The following changes must be made:
Start the WinRM service.
Set the WinRM service type to delayed auto start.
Make these changes [y/n]? y
WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:
Enable the WinRM firewall exception.
Configue the LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
Make these changes [y/n]? y
WinRM has been updated for remote management.
WinRM firewall exception enabled.
Configed LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
You have successfully set it.
※ If your network is public, you cannot set the firewall. In that case, change to a domain or private network.
Then add the collector machine's account to the Event Log Readers group on the source machine.
Open "Local Users and Groups" in Windows and open "Event Log Readers" in "Groups".
Click "Add".
By default, computer accounts cannot be added, so click "Object Types...", check "Computers" and return by "OK".
Enter the computer name of the collector machine into the "Enter the object names to select" input field and confirm with "OK".
The computer name of the collector machine has been added to "Members".
Close with "OK".
※ This time, it is not necessary because it is a domain environment, but when set in a workgroup environment, add an account with administrator privileges.
Next, we move on to processes on the collector machine.
■ Processes on the collector machine
・Prepare to collect logs
Log on to the collector machine with an administrator account, run PowerShell as an administrator, and execute the following command.
wecutil quick-config
You will be asked to confirm the execution, so enter "y" to execute.す。
The service startup mode will be changed to Delay-Start. Would ou like to proceed ( Y- yes or N- no)? y
Windows Event Collector service was configured successfully.
・Set subscription
Define what kind of event logs to transfer using the subscription function.
Launch Event Viewer on the collector machine.
Select "Subscriptions" under "Application and Service Logs".
Click "Create Subscription...".
Enter any "Subscription name" and "Description" and click "Select Computers...".
Select from the pulldown to change the destination log.
We will use the default "Forwarded Events" this time.
Specify the source machine.
Click "Add Domain Computers..." under "Collector initiated".
Enter the computer name of the target source machine and click "OK".
If you want to register multiple PCs, register the PCs one after the other.
And, you can check that you can access the target PC by clicking the "Test" button.
Click "Select Events...".
Here you specify the logs you want to send as events.
YubiOn WindowsLogon Standalone logs are output to the Application log, so specify to transfer all Application logs.
Click "Advanced..." to confirm.
Leave the defaults here, select "Machine Account" for "User Account", and select "Normal" for "Event Delivery Optimization".
Your subscription has been added.
Make sure the status is active.
The settings for collecting events are now complete.
Confirm the events
Now let's confirm that the event logs are transferred.
First, log on to the source machine using YubiOn WindowsLogon Standalone.
Screen lock the source machine once and log on using the YubiKey.
This printed a log for the "YubiOnWindowsLogonStandalone" source in the Application log.
Here is the log when the logon is successful.
The logon account name and the PublicID (identification ID) of the YubiKey used are output.
Next, let's check the Event Viewer of the collector machine.
Log on to the collector machine and open "Windows Logs" > "Forwarded Events" in Event Viewer.
YubiOn's successful logon log was transferred to the collector machine.
※ It may take some time (about 15 minutes) to be transferred.
If you have registered multiple PCs, you can identify them by computer name.
Summary
By using the log transfer function of Windows, you can transfer the Event Viewer log output by YubiOn WindowsLogon Standalone.
This time, I set it to transfer all Application logs, but I think it would be easier to check the necessary logs by transferring only the necessary logs or using a filter.
Also, this time I introduced the procedure to set the source machines one by one, but if there are many machines and it takes time and effort, it is possible to reduce the time and effort by using the AD group policy.
Please refer to the introduction page for details of the YubiOn WindowsLogon Standalone.
Thank you for reading to the end.
Comments