If you have a 100% lightweight deployment, forward the events to a gateway that is not only close to the ATA center and SIEM, but also has a lower load than other DCs in the site. The following diagram depicts this configuration.
<![CDATA[<QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=4776)]]</Select></Query></QueryList> ]]>
</EventSources></Subscription> Here is the sample PowerShell to create the subscription based on the template.
#Copy the template locally
$FileLocation = “\\server\share”
Copy-Item $FileLocation\ATA-4776.xml $ENV:TEMP
winrm qc -quiet
#configure WinEvent Collection service
wecutil.exe qc /q:true
#Get Computer SID
$strDNSName = (Get-ADComputer $ENV:Computername).DNSHostName
#Replace the SID in the temp XML
(Get-Content "$ENV:TEMP\ATA-4776.xml") -replace 'lwgw.contoso.com', "$strDNSName"| Set-Content "$ENV:TEMP\ATA-4776.xml"
#Configure the Subscription
wecutil.exe cs "$ENV:TEMP\ATA-4776.xml"Gateway—Source-Initiated For domain controllers monitored by gateways, we recommend configuring a source-initiated subscription on the gateway to receive the events from the DCs. You will need to configure the DCs with a subscription manager group policy setting. You can target the subscription manager at the respective DCs using security filtering. Here are some screen shots of subscription manager configuration found under Computer Policy \ Administrative Templates \ Windows Components \ Event Forwarding – Configure Target Subscription Manager To recap, we recommend:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.