windows-event-forwarding icon indicating copy to clipboard operation
windows-event-forwarding copied to clipboard

Published 20 hours ago verified publisher icon palantir

Collector Server

Open coleJ98 opened this issue 5 years ago • 3 comments

Hi,

Do you recommend using Domain Controllers as windows event log collector servers?

I have implemented the WEF using your guide and its great! However we do not have a spare server to be used as a collector server. Can I use the Domain Controller as centralised logging point?

I am planning to forward Microsoft-Windows-Sysmon/Operational logs from ~1500 endpoints. Please let know, your help is much appreciated! Thank you

coleJ98 avatar Apr 08 '19 11:04 coleJ98

No, do not use a Domain Controller as a windows event log collector server. This will increase the attack surface on your DCs. If you don't have enough physical servers, look into virtualization.

jokezone avatar Apr 20 '19 10:04 jokezone

No, do not use a Domain Controller as a windows event log collector server. This will increase the attack surface on your DCs. If you don't have enough physical servers, look into virtualization.

Hi @jokezone ,

Thanks for your reply. I understand that it is not good to forward the logs to a DC. Do you know what specs does the collector server needs to have inorder to receive logs from ~1500 endpoints?

Is there anyway I could stress test this before pushing out to production? Please let me know. Your help is appreciated!

coleJ98 avatar Apr 23 '19 11:04 coleJ98

I found this post from someone in a similar sized environment:

https://social.technet.microsoft.com/Forums/ie/en-US/5cbd79db-936d-4267-bd06-43507e9a9f15/event-collector-server-sizing-question?forum=winservergen

As far as testing, you could deploy the event forwarding GPO gradually instead of all at once.

jokezone avatar Apr 23 '19 22:04 jokezone