DCO-SOGs/8 Tools/WEC/WEC_SOG.md

WEC SOG

https://youtu.be/seuyYmgU95s?si=FKCfYHl25NTj4R1P

CLIENT

open command prompt winrm qc y

computer > manage local users and groups > groups event log readers group click on it add object type unclick all, click computers enter object name > (CLICK WHO YOU WANT AS THE COLLECTOR) OK OK OK CLOSE

SERVER

start menu > event viewer subscriptions do you want windows event service to be running > yes right click on subscriptions > create subscription

subscription name: Wec Collection
description: collecting logs from clients
CHECK source computer initiated
    TEST
events to collect: 
    select events
        event level: critical, warning, error
        by log: application, security, system
        OK
    OK

    Look at forwarded events to see what is going to your SERVER