gnarly timing. I'm actually working on implementing this in my environment this week and this webcast helped fill in many gaps; especially the pitfalls pieces. Thanks guys.
Winlogbeats service on the WEC wont start, it seems to be looking for the CRT file that isn't there. I searched text in closed caption transcripts and no mention of how to create a cert or not reference a cert in the WLB config.
Tthat's really hard to say without more dialog. winrm can handle using proxy servers and could probably be load balanced without breaking certificate chains. we have recommended for larger environments with multiple sites to use multiple Windows Event Forwarding policies with each policy specifying different WECs and applied to different Active Directory OUs as appropriate for the environment. all that said... i'm like 99% sure you can specify more than 1 WEC in the WEF policy so if you're are talking large number of systems all at the same site and same OUs maybe the easiest thing is to just specify multiple WECs on the policy - Nick Caswell
I am working through this right now, ran into some issues with the enablewinrm on DC. Is there a spot in the BHIS discord server where I can bounce questions off of others that are setting this up?
Thank you for continuing to put out great security information. Taking your SOC skills course and loving it!
Awesome stuff guys! Super informative and I can’t wait to get this going in my lab and hopefully get it going in production.
gnarly timing. I'm actually working on implementing this in my environment this week and this webcast helped fill in many gaps; especially the pitfalls pieces. Thanks guys.
What about for collecting logs from non-domain joined servers... say those in your DMZ ?
Winlogbeats service on the WEC wont start, it seems to be looking for the CRT file that isn't there. I searched text in closed caption transcripts and no mention of how to create a cert or not reference a cert in the WLB config.
Can we use a VIP in front of multiple WECs in a large environment to be able to forward logs from large no of workstations?
Tthat's really hard to say without more dialog. winrm can handle using proxy servers and could probably be load balanced without breaking certificate chains. we have recommended for larger environments with multiple sites to use multiple Windows Event Forwarding policies with each policy specifying different WECs and applied to different Active Directory OUs as appropriate for the environment. all that said... i'm like 99% sure you can specify more than 1 WEC in the WEF policy
so if you're are talking large number of systems all at the same site and same OUs maybe the easiest thing is to just specify multiple WECs on the policy
- Nick Caswell
I am working through this right now, ran into some issues with the enablewinrm on DC. Is there a spot in the BHIS discord server where I can bounce questions off of others that are setting this up?
Nevermind, I think I figured it out. I need to go through each Defcon. I thought you could stop at 4 to get this all done. You guys Are heroes.