How do you send in Windows Events?
I've been up and down all through the documentation and even NXLogs at https://docs.nxlog.co/refman/current/im/wseventing.html but I still can't seem to get the logs in. I can send just find to a Windows WEC without a certs so I know it's cert related.
Does anyone have a guide or tips when working with Windows Events in a Domain and Certs?
Answers
-
We have two guides available for configuring our WEF source. We cover the certificates in this document.
https://docs.cribl.io/edge/sources-wef/
We provide a guide for configuring the WEF source for use with Cribl cloud in the below document.
https://docs.cribl.io/stream/usecase-wef-config
Most of the logging for WEF errors will not be done on the Stream side.
To troubleshoot WEF issues you may need to focus on the windows event logs on the machine trying to connect to the stream WEF source.
Look at the following windows event logs.
- Application and Services Logs > Microsoft > Windows > Eventlog-ForwardingPlugin >Operational (Generic errors for WEF plugin)
- Application and Services Logs > Microsoft > Windows > Windows Remote Management > Operational (The root errors that caused the errors in the WEF plug in)
- Application and Services Logs > Microsoft > Windows > Capi2 > Operational (The errors for issues with the certificate being used for mTLS)
If you are having trouble with the mTLS configuration we also allow for WEF using Kerberos which would avoid the need for the certificates. The details for the Kerberos configuration can be found in the first link as well.
0