{"id":132,"date":"2023-05-01T22:29:46","date_gmt":"2023-05-01T22:29:46","guid":{"rendered":"https:\/\/canokar.com\/?p=132"},"modified":"2023-11-04T15:39:38","modified_gmt":"2023-11-04T15:39:38","slug":"microsoft-wef-yapilandirmasi-ve-logsign-siem-ile-entegrasyonu","status":"publish","type":"post","link":"https:\/\/canokar.com\/?p=132","title":{"rendered":"Microsoft WEF yap\u0131land\u0131rmas\u0131 ve Logsign Siem ile entegrasyonu"},"content":{"rendered":"\n

<\/p>\n\n\n\n

Merhaba bu yaz\u0131m\u0131zda test ortam\u0131m\u0131zda bulunan bir Windows 10 client\u2019\u0131n event loglar\u0131n\u0131 Microsoft\u2019un WEF yap\u0131land\u0131rmas\u0131n\u0131 kullanarak \u00f6nce WEF sunucumuza g\u00f6nderece\u011fiz ard\u0131ndan WEF sunucumuz \u00fczerinden NXLog ile Logsign Siem sunucumuza g\u00f6nderece\u011fiz.<\/p>\n\n\n\n

WEF bize ne sa\u011flaycak?
– WEF ile yap\u0131m\u0131zda bulunan makinelerin loglar\u0131n\u0131 bu makinelere ajan kurma gereksinimi duymadan bu makinelerin loglar\u0131n\u0131 sadece bir group policy arac\u0131l\u0131\u011f\u0131 ile merkezi bir noktaya y\u00f6nlendirebilece\u011fiz (WEF sunucu) ve siem \u00fczerinde tan\u0131ml\u0131 tek kaynak \u00fczerinden t\u00fcm bu makinelerin loglar\u0131na ula\u015fabilece\u011fiz.<\/p>\n\n\n\n

\u00d6ncelikle WEF sunucumuza ba\u011flan\u0131yoruz ve Event Viewer\u2019\u0131 a\u00e7\u0131yoruz. Subscription k\u0131sm\u0131na t\u0131klad\u0131\u011f\u0131m\u0131z zaman bize Windows Event Collector servisinin ba\u015flat\u0131laca\u011f\u0131n\u0131 ve enable edilece\u011fini s\u00f6yleyen bir uyar\u0131yla kar\u015f\u0131la\u015f\u0131yoruz ve evet diyoruz.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Ard\u0131ndan Windows Remote Management servisini ba\u015flat\u0131yoruz. Bu i\u015flemi servisler arac\u0131 \u00fczerinden de yapabiliriz. Ben Cli\u2019dan yapmay\u0131 tercih ettim o y\u00fczden \u015fu komuyu \u00e7al\u0131\u015ft\u0131r\u0131yorum.<\/p>\n\n\n\n

winrm quickconfig -quiet<\/code><\/pre>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
Servisin zaten \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 g\u00f6r\u00fcyorum.
Bu servisin startup type\u2019\u0131n\u0131n Automatic oldu\u011fundan emin oluyorum.<\/p>\n\n\n\n
Ard\u0131ndan wevtutil<\/em> ile kb cinsinden client loglar\u0131m\u0131z\u0131n birikece\u011fi Forwarded Events k\u0131sm\u0131n\u0131n maksimum log limitini art\u0131r\u0131yorum. Bu \u00f6rnekte yakla\u015f\u0131k 1 GB yapm\u0131\u015f olduk.  Bu i\u015flem foto\u011frafta g\u00f6r\u00fclen Max Log Size k\u0131sm\u0131ndan da yap\u0131labilir. Girece\u011fimiz de\u011fer kb cinsinden 64\u2019\u00fcn katlar\u0131 olmal\u0131d\u0131r. E\u011fer de\u011filse Windows bu de\u011feri sizin i\u00e7in yuvarlayacakt\u0131r.<\/p>\n\n\n\n
wevtutil sl forwardedevents \/ms:1000000000<\/code><\/pre>\n\n\n
\n
\"\"<\/a><\/figure><\/div>\n\n\n
<\/p>\n\n\n\n
E\u011fer Windows Server 2016 veya 2019 kullan\u0131yorsan\u0131z Windows Remote Management i\u00e7in varolan ACL\u2019leri de\u011fi\u015ftirme gereklili\u011fi vard\u0131r. Bu i\u015flem a\u015fa\u011f\u0131daki komutlar ile yap\u0131l\u0131r.<\/p>\n\n\n\n
netsh http delete urlacl url=http:\/\/+:5985\/wsman\/<\/code><\/pre>\n\n\n\n
netsh http add urlacl url=http:\/\/+:5985\/wsman\/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)<\/code><\/pre>\n\n\n\n
netsh http delete urlacl url=https:\/\/+:5986\/wsman\/<\/code><\/pre>\n\n\n\n
netsh http add urlacl url=https:\/\/+:5986\/wsman\/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)<\/code><\/pre>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
Art\u0131k clientlerimiz i\u00e7in bir subscription olu\u015fturabiliriz.<\/p>\n\n\n\n
Event Viewer \u00fczerinde sa\u011f k\u0131s\u0131mda bulunan Create Subscription k\u0131sm\u0131na t\u0131kl\u0131yoruz. A\u00e7\u0131lan pencerede Source Computer Initiated k\u0131sm\u0131na t\u0131klad\u0131ktan sonra Select Computer Groups butonuna t\u0131klay\u0131p eklemek istedi\u011fimiz makineleri se\u00e7iyoruz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
Test ortam\u0131nda tek bir Windows 10 makine ekleyece\u011fim i\u00e7in bu makineyi se\u00e7iyorum.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
Ard\u0131ndan hangi log kategorilerini toplayaca\u011f\u0131m\u0131 belirtmek i\u00e7in Select Events k\u0131sm\u0131n\u0131 se\u00e7iyorum.
Ben bu \u00f6rnek i\u00e7in Application, System, Security, Setup, Powershell ve Sysmon\u2019u se\u00e7tim.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
Bu sayfada yapt\u0131\u011f\u0131m\u0131z i\u015flemleri kaydetmeden \u00f6nce Advanced butonuna t\u0131kl\u0131yoruz. Buradaki men\u00fcden loglar\u0131n bize g\u00f6nderilme \u00f6nceli\u011fini optimize edebiliyoruz. Loglar\u0131n g\u00f6nderimine \u00f6ncelik verilmesi i\u00e7in Minimize Latency se\u00e7ene\u011fini se\u00e7iyoruz. \u0130letim zaten kerberos \u00fczerinden yap\u0131ld\u0131\u011f\u0131 i\u00e7in kriptolu ger\u00e7ekle\u015fti\u011finden ekstra bir \u015fifrelemeye gerek duymuyoruz ve bu sebeple protokol\u00fc HTTP olarak b\u0131rak\u0131yoruz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
WEF sunucumuz art\u0131k tan\u0131mlad\u0131\u011f\u0131m\u0131z makineden gelen loglar\u0131 almaya haz\u0131r vaziyette.
Client taraf\u0131nda yap\u0131lmas\u0131 gerekli ayarlar\u0131 group policy \u00fczerinden yapaca\u011f\u0131z. Bu sebeple domain controller\u2019da oturum a\u00e7\u0131yoruz.<\/p>\n\n\n\n
Group policy management console\u2019u a\u00e7t\u0131ktan sonra yeni bir GPO olu\u015fturuyoruz. Bu \u00f6rnek i\u00e7in ad\u0131na WEF-POLICY dedim ve loglar\u0131n\u0131 almak istedi\u011fim makine bu OU alt\u0131nda bulundu\u011fu i\u00e7in CLIENTS isimli OU\u2019ya ba\u011flad\u0131m.
Bu policy\u2019yi d\u00fczenleyelim<\/p>\n\n\n\n
\u0130lk olarak Client makinelerde Windows Event Forwarder servisinin Event Loglar\u0131 okuyabilmesi i\u00e7in Network Service hesab\u0131n\u0131 Event Log Readers grubuna \u00fcye yap\u0131yoruz. Bunun i\u00e7in Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Group<\/strong> alt\u0131nda NT AUTHORITY\\Network Service<\/strong> hesab\u0131n\u0131 Event Log Readers<\/strong> grubunun \u00fcyesi yap\u0131yoruz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
Ard\u0131ndan client makinelerinin restart olmas\u0131 durumunda Windows Remote Management servisinin otomatik ba\u015flamas\u0131n\u0131 sa\u011flamak i\u00e7in Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Windows Remote Management<\/strong> k\u0131sm\u0131n\u0131 a\u015fa\u011f\u0131daki foto\u011frafta g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi ayarl\u0131yoruz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
A\u015fa\u011f\u0131daki ayarlar\u0131 mevcut GPO’muza s\u0131ras\u0131yla uyguluyoruz.

Burada collector rol\u00fcndeki makinemize g\u00f6nderilecek EPS miktar\u0131n\u0131 belirtiyoruz. Ben bu \u00f6rnekte 5000 <\/strong>olarak belirledim.<\/p>\n\n\n\n
Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding >  Configure forwarder resource usage = 5000<\/code><\/pre>\n\n\n\n
Burada collector makinemizi belirtiyoruz. Bu \u00f6rnekte makine ad\u0131m\u0131z SERVER-1.okar.local.<\/strong><\/p>\n\n\n\n
Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding >  Configure target Subscription Manager = Server=http:\/\/SERVER-1.okar.local:5985\/wsman\/SubscriptionManager\/WEC,Refresh=60<\/code><\/pre>\n\n\n\n
Bu k\u0131s\u0131mda ilgili gruplar\u0131n log access izinleri i\u00e7in ACL ayarlar\u0131n\u0131 belirtiyoruz.<\/p>\n\n\n\n
Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service > Security > Configure log access > O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)<\/code><\/pre>\n\n\n\n

******************************<\/em><\/p>\n\n\n\n
Windows 10 makinemizde oturum a\u00e7abiliriz. gpresult ile policy’nin uygulan\u0131p uygulanmad\u0131\u011f\u0131n\u0131 kontrol edebiliriz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Applied Group Policy Object alt\u0131nda bir \u00f6nceki ad\u0131mda DC \u00fczerinde olu\u015fturdu\u011fumuz WEF-POLICY objemizin hen\u00fcz okunmad\u0131\u011f\u0131n\u0131 g\u00f6r\u00fcyoruz.
Bu y\u00fczden gpupdate \/force ile yeni policy’mizi \u00e7ekiyoruz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
WEF-POLICY objemizin client taraf\u0131ndan \u00e7ekildi\u011fini g\u00f6r\u00fcyoruz.
\u015eimdi WEF sunucuda bulunan subscriptionlar\u0131 kontol edelim. 
Event Viewer k\u0131sm\u0131nda bulunan Subscriptions i\u00e7inde Source Computers k\u0131sm\u0131nda 1 rakam\u0131n\u0131 g\u00f6r\u00fcyoruz. Bu \u015fu anda bize aktif olarak log g\u00f6nderen 1 maknenin oldu\u011funu g\u00f6steriyor.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n

Fowrarded Events sekmesini kontrol edersek bu k\u0131sm\u0131n CLIENT-1 makinesinden gelen loglarla dolmaya ba\u015flad\u0131\u011f\u0131n\u0131 g\u00f6rebiliriz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\u015eimdi bu makinenin loglar\u0131n\u0131 Logsign Siem’imize y\u00f6nlendirelim.
Bu i\u015flem i\u00e7in NXLog yap\u0131land\u0131rma dosyas\u0131na a\u015fa\u011f\u0131daki eklemeyi yapmak gerekiyor. (NXLog kurulum ve yap\u0131land\u0131rmas\u0131 bu yaz\u0131n\u0131n kapsam\u0131 d\u0131\u015f\u0131nda bulundu\u011fu i\u00e7in ayr\u0131nt\u0131s\u0131na girilmeyecektir).<\/em><\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
<Select Path=\"ForwardedEvents\">*<\/Select>\\<\/code><\/pre>\n\n\n\n
Yukar\u0131da bulunan sat\u0131r varolan yap\u0131land\u0131rmaya eklendikten sonra art\u0131k Forwarded Events alt\u0131nda bulunan loglar da siem’e g\u00f6nderilmeye ba\u015flanacakt\u0131r.
\u015eimdi Logsign taraf\u0131nda EventSource.HostName filtresini kullanarak CLIENT-1.okar.local’den gelen loglar\u0131 filtreleyelim.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Foto\u011frafta g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi CLIENT-1’in loglar\u0131 WEF makinemiz \u00fczerinden siem’imize akmaya ba\u015flad\u0131.
CLIENT-1 \u00fczerinde Test User kullan\u0131c\u0131s\u0131 ile birka\u00e7 hatal\u0131 login hareketi yap\u0131p inceleyelim.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
A\u015fa\u011f\u0131da CLIENT-1 \u00fczerinde yapt\u0131\u011f\u0131m\u0131z hatal\u0131 login hareketlerini g\u00f6rebiliriz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
Manuel olarak bir makine daha ekleyelim ve WEF \u00fczerindeki Event Viewer’\u0131n nas\u0131l davrand\u0131\u011f\u0131n\u0131 g\u00f6zleyelim.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
CLIENT-2 eklendikten sonra WEF sunucuda Event Viewer alt\u0131nda bulunan Computers kolununda art\u0131k CLIENT-1’in yan\u0131nda CLIENT-2’yi de g\u00f6rmeye ba\u015fl\u0131yoruz. <\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
<\/p>\n\n\n\n
Siem taraf\u0131ndan da kontrol ederek log ak\u0131\u015f\u0131n\u0131n CLIENT-2 i\u00e7in de varoldu\u011funu g\u00f6rebiliyoruz.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"
Merhaba bu yaz\u0131m\u0131zda test ortam\u0131m\u0131zda bulunan bir Windows 10 client\u2019\u0131n event loglar\u0131n\u0131 Microsoft\u2019un WEF yap\u0131land\u0131rmas\u0131n\u0131 kullanarak \u00f6nce WEF sunucumuza g\u00f6nderece\u011fiz ard\u0131ndan WEF sunucumuz \u00fczerinden NXLog ile Logsign Siem sunucumuza g\u00f6nderece\u011fiz. WEF bize ne sa\u011flaycak?– WEF ile yap\u0131m\u0131zda bulunan makinelerin loglar\u0131n\u0131 bu makinelere ajan kurma gereksinimi duymadan bu makinelerin loglar\u0131n\u0131 sadece bir group policy arac\u0131l\u0131\u011f\u0131 ile … Okumaya devam et “Microsoft WEF yap\u0131land\u0131rmas\u0131 ve Logsign Siem ile entegrasyonu”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":182,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"_ti_tpc_template_sync":false,"_ti_tpc_template_id":""},"categories":[11],"tags":[8,9,10,5,6,7],"_links":{"self":[{"href":"https:\/\/canokar.com\/index.php?rest_route=\/wp\/v2\/posts\/132"}],"collection":[{"href":"https:\/\/canokar.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/canokar.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/canokar.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/canokar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=132"}],"version-history":[{"count":29,"href":"https:\/\/canokar.com\/index.php?rest_route=\/wp\/v2\/posts\/132\/revisions"}],"predecessor-version":[{"id":192,"href":"https:\/\/canokar.com\/index.php?rest_route=\/wp\/v2\/posts\/132\/revisions\/192"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/canokar.com\/index.php?rest_route=\/wp\/v2\/media\/182"}],"wp:attachment":[{"href":"https:\/\/canokar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/canokar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/canokar.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}