-
Notifications
You must be signed in to change notification settings - Fork 1
/
deploy-wef.ps1
139 lines (117 loc) · 5.33 KB
/
deploy-wef.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# PowerShell
# deploy-wef.ps1
#
# This script was writen to setup and configure a Windows Server 2008 R2+ with act as a Windows Event Collector (WEC).
# It also provide deployment options to do the following things:
#
# -Deploy the basic setting to collect a basic set of Windows events (The listing of event can be found in the "../subscription-configs/basic-event-collection.xml" file.
# -Deploy role specific subscription configuration XML files. The files are locate at "../subcription-configs/."
# -Deploy collector monitoring/alerting subscription configuration
#
#
# Configure WinRM service on the collector, the defaults are ok.
Write-Host "`nThis script will run the basic setting needed to enable this machine as a Windows Event Collector."
Write-Host "If you do not want to run this script, press ctrl-c an the script will exit."
Read-Host "`nPress any key to start setting up"
function setup-collector {
try {
clr
#clearing error log
$Error=$null
# preformed a "quick configure" on the winrm services, this starts the services and adds incomming firewall rules.
winrm qc
# Implementing Service Control strategies. Seperate scvhost.exe dependencies to seperate services, and add WinRM as a dependency to Windows Event Collector service.
sc.exe CONFIG winrm type= own
sc.exe CONFIG WecSvc type= own
sc.exe CONFIG WecSvc depend= WinRM
# Restart the Windows Event Collection service if it fails to start after 10 seconds and after 3 minutes. If it continutes to fail, reboot the computer after 10 minutes. (Counter set to reset after 60 seconds of successful start)
sc.exe FAILURE WecSvc reset= 60 actions= restart/5000/restart/180000/reboot/600000
# Restart the Windows Event Log service if is fails start after 5 seconds and after 60 seconds (Counter set to reset after 60 seconds of successful start)
sc.exe FAILURE EventLog reset= 60 actions= restart/5000/restart/60000
# If using Splunk to forward logs, a special strategy is need to to delay it's startup
# Change TCP HTTP idle disconnect limit, this will help the collector disconnect un-needed source connection. (Set to 30 seconds)
Netsh.exe http add timeout timeouttype=idleconnectiontimeout value=30
}
catch {
Write-Host "The following commands did not work!"
$Error.Exception
}
}
function setup-splunk {
if (Get-Service SplunkForwarder -ErrorAction SilentlyContinue) {
# In order for the Splunk Forwarder to decode the events, the Windows Event Log service must be running. Also, if logs are not coming in to the collector, there is no need for forward them.
# A Splunk Forwarder config could be establish to monitor for these issue, But I optted out of this strategy
sc.exe CONFIG SplunkForwarder depend= WecSvc/EventLog
# Add a buffer of time between starts
sc.exe CONFIG SplunkForwarder start= delayed-auto
# Add failure strateg incase the Splunk Forwarder service fails to start. Yes, this happens.
# First try to restart the Splunkd.exe service after 5 seconds, then try to restart is again if it is still has not started after 3 minutes, they manually command the service to to restart (hard restart.)
# (Counter set to reset after 60 seconds of successful start)
sc.exe FAILURE SplunkForwarder reset= 60 command= "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe restart" actions= restart/5000/run/200000
}
else {
Write-Host "Splunk not installed."
}
}
function get-configs {
$savedconfig = "c:\temp\WEFconfig\SubscriptionConfig"
if (!(test-path -Path $savedconfig)) {
mkdir $savedconfig
}
$config1 = "https://github.com/happy-jo/Enterprise-WEC/blob/master/SubscriptionConfigs/dc_machine(all_events)_lowLat.xml"
$config2 = "https://github.com/happy-jo/Enterprise-WEC/blob/master/SubscriptionConfigs/non-dc_machine(all_events)_lowLat.xml"
(New-Object System.Net.WebClient).DownloadFile($config1, $savedconfig)
(New-Object System.Net.WebClient).DownloadFile($config2, $savedconfig)
}
function load-configs {
cls
Write-Host " Checking For Subscription files..."
try {
add-alldomaincontrollers
add-alldomaincomputers
}
catch {
Write-Error -Exception
}
}
function add-alldomaincomputers {
cls
Write-Verbose "Checking for Config file..."
#path check
$rootpath = "c:\temp\WEFconfig\SubscriptionConfig"
if (Test-Path $rootpath+"non-dc_machine(all_events)_lowlat.xml") {
Write-Verbose "`nConfig file exists. Loading file."
try {
[XML]$allcompxml = Get-Content -path $rootpath+"non-dc_machine(all_events)_lowlat.xml"
wecutil.exe cs $allcompxml
}
catch {
Write-Error -Exception
}
}
else {
Write-Host "`nConfig file not found. Make sure XML config is in the $rootpath." -ForegroundColor red
}
}
function add-alldomaincontrollers {
cls
Write-Verbose " Checking for Config file."
#path check
$rootpath = "c:\temp\WEFconfig\SubscriptionConfig"
if (Test-Path $rootpath+"dc_machine(all_events)_lowlat.xml") {
Write-Verbose "`nConfig file exists. Loading file."
try{
[XML]$alldcxml = Get-Content -Path $rootpath+"dc_machine(all_events)_lowlat.xml"
wecutil.exe cs $alldcxml
}
catch {
Write-Error -Exception
}
}
else {
Write-Host "`nConfig file not found. Make sure XML config is im the $rootpath." -ForegroundColor red
}
}
setup-collector
get-configs
load-configs