Active Directory Integration
Installation prerequisites
Before you install and Event Log Forwarer (ELF) on one or more of your devices, please ensure that you have enabled audit of events.
On each of your Domain Controllers (DC) go to:
Windows Administrative Tools
→ Local Security Policy
, and then
Security Settings
→ Local Policies
→ Audit Policy
, and there find
Audit account logon events
, Audit account sign-in events
and Audit logon events
.
Some settings may differ in name or be missing, based on your Windows version.
Check both Success and Failure boxes.
You may need to reload configured policy. To reload policy, please run following command:
gpupdate /force
Domain Controller Configuration
DC Firewall on Windows
Ensure that Event Log can be accessed through your Firewall configuration using WMI.
On each of your Domain Controllers go to:
Windows Defender Firewall
→ Windows Defender Firewall with Advanced Security on Local Computer
Inbound Rules
→ Windows Management Instrumentation (WMI-In)
ensure the rule allows connections
set up a scope of allowed addresses that may connect. In this example a remote address 192.168.1.0/24 is allowed.
Or, alternatively you can use command line:
netsh firewall set service RemoteAdmin enable
DC Firewall Rules
Source |
Direction |
Destination |
Port |
Protoocol |
Reason |
---|---|---|---|---|---|
DC |
—> |
local netwk |
135 |
TCP/UDP |
Microsoft RPC |
DC |
—> |
local netwk |
445 |
TCP |
Microsoft MQ |
DC |
—> |
local netwk |
ICMP |
Windows Service
Please ensure that Windows Management Instrumentation
service is running.
C:\Users\Administrator>sc query Winmgmt
SERVICE_NAME: Winmgmt
TYPE : 30 WIN32
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
WMI Remote Configuration
If you chose to install ELF on another Windows PC, ensure that it can use WMI remotely. To enable Remote WMI for the account which will be used to connect to Domain Controller, go to:
Computer Management
→ Services and Applications
→ WMI Control
Right click on it and selet Properties
Select Security
tab, then choose the Root
namespace and hit Security
button.
Add user to the list or select a group it belongs to, check Remote Enable
permission.
Event Log Forwarder
You can install ELF locally on the DC or on another Windows PC. ELF uses following connections:
ELF Firewall Rules
Source |
Direction |
Destination |
Port |
Protoocol |
Reason |
---|---|---|---|---|---|
ELF |
—> |
DC |
135 |
TCP/UDP |
|
ELF |
—> |
resolver |
4222 |
TCP |
NATS Message Queue |
Install Instructions
Install or Update:
msiexec /i "Whalebone.Event.Log.Forwarder.Installer.msi" ui="true"
Uninstall:
msiexec /x "Whalebone.Event.Log.Forwarder.Installer.msi
Configuration Instructions
Installer shall open configuration Window automatically. You may access configuration from favourite web browser using command:
start http://localhost:55225/Configure/AD
Service Logs
Service logs can be found at c:\ProgramData\Whalebone\Event Log Forwarder\
, which contain detailed information about service state. In case you encounther unexpected service behaviour please include this folder along inside your support ticket.