Brian's Pentesting and Technical Tips for You
This is an abbreviated install/setup guide for WEFFLES (Windows Event Logging Forensic Logging Enhancement Services) that is described in awesome detail here.
I made a simple, small lab setup with a domain of i.got.worms and these machines:
In my domain of i.got.worms I created a workstation computer group called IGW-Workstations and a server computer group called IGW-Servers.
I created this new GPO and linked it to IGW-Workstations, IGW-Servers and Domain Controllers. The settings are as follows:
Enable this setting and then set Value to Server=http://name.of.your.bi.server:5985/wsman/SubscriptionManager/WEC,Refresh=60. The Refresh can be something higher if you feel 60 seconds is too often
Enable this setting, and then to figure out what values to set, run wevtutil gl security at a command prompt from a workstation joined to your domain. In my environment, this settings started with O:BAG:SYD:(A… and then ended with S-1-5-32-573). Copy and paste that value into the GPO setting, but then also add (A;;0x1;;;NS) to the end.
On your event collector machine (again, for me that’s igw-srv01.i.got.worms box), download the zip of the WEFFLES GitHub repo to the desktop.
Execute the wefsetup.ps1
script.
Reboot the collector server.
Wait about 10-15 minutes for the events to start “cooking.”
Open Event Viewer and under Subscriptions, right-click on CoreEvents and click Runtime Status. A box will pop up with a Subscription Status and then below that a Source computers list of machines that should start checking in to report events. If they don’t, check the GPO settings above and make sure that your Configure target Subscription Manager begins with Server= because I missed that the first time. Also, make sure your clients in your AD environment are all time-synch’d properly. Mine weren’t and it took me way too long to figure that out. Check time sync articles like this for help on the VMWare side, and this on the Windows side.
In Event Viewer, also open Windows Logs > Forwarded Events to verify the events are pulling in from machines in the domain.
Check C:\WEFFLES
directory and ensure that you’ve got a weffles.xls
and bookmarks.stream
file. If you don’t, double-check that you have .NET 3.5 installed. I didn’t, and that ended up being my issue!
On the collector machine:
C:\weffles\weffles.pbix
C:\sta\weffles\weffles.csv
not existing. I’m not sure if I somehow jacked up that file path with the sta in there, but anyway, within the little grey “window icon” drop-down menu in the upper left of Power BI, I chose Options and Settings > Data Source Settings and changed the path to C:\weffles\weffles.csv
.