Windows Server - Integration Guide

This guide will show you how to integrate Windows server (or desktop) into the Secure60 platform using Windows Event Forwarding.

Overview

This guide explains how to configure Windows Event Forwarding to send Windows event logs directly to a Secure60 collector server. This method leverages native Windows functionality and doesn’t require additional agent software. For more information about Windows Event Forwarding, see the Microsoft documentation.

Prerequisites:

Setup Process

Step 1: Secure60 Collector Configuration

Before configuring your Windows server, ensure the Secure60 collector has:

  1. Windows Event Forwarding module enabled
  2. Port 5986 opened for Windows Event Forwarding traffic

Contact Secure60 Support to enable this module on your collector.

Step 2: Obtain Server Hostname

Run the following command on your Windows server to get the hostname:

hostname

Provide this hostname to the Secure60 team so they can generate the required certificates.

Step 3: Install Certificates

The Secure60 team will provide you with:

3.1 Install the Client Certificate:

  1. Open Certificate Manager (certmgr.msc)
  2. Navigate to Personal > Certificates
  3. Right-click on the Personal folder and select All Tasks > Import…
  4. Follow the Certificate Import Wizard
  5. Important: Check the box “Include all extended properties” during import

3.2 Install the CA Certificate:

  1. Open Certificate Manager (certmgr.msc)
  2. Navigate to Trusted Root Certification Authorities > Certificates
  3. Right-click on the Trusted Root Certification Authorities folder and select All Tasks > Import…
  4. Follow the Certificate Import Wizard to install the CA certificate

3.3 Configure Certificate Permissions:

  1. In Certificate Manager, locate your client certificate in Personal > Certificates
  2. Right-click on the client certificate and select Manage Private Keys
  3. Add the Network Service account and grant it Read permissions

Step 4: Configure Windows Event Forwarding

3.4 Modify Local Policy:

  1. Open Local Group Policy Editor (gpedit.msc)
  2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Event Forwarding
  3. Double-click on Configure target Subscription Manager
  4. Select Enabled
  5. Click Show… next to SubscriptionManagers
  6. Add the Subscription Manager string provided by Secure60 team

Example configuration:

Server=HTTPS://wec-server.secure60:5986/wsman/,Refresh=30,IssuerCA=<CA_THUMBPRINT>

Example:
Server=HTTPS://wec-server.secure60:5986/wsman/,Refresh=30,IssuerCA=EDECEF179CB4246BD476EA75FE0364A822B64B71
Windows Event Forwarding Policy Example

3.5 Configure Hosts File (PoC Only): For proof of concept, add an entry to your Windows hosts file:

  1. Open Notepad as Administrator
  2. Open C:\Windows\System32\drivers\etc\hosts
  3. Add a line: <COLLECTOR_IP> wec-server.secure60
  4. Save the file

Note: In production, this would be handled by proper DNS configuration.

3.6 Verify WinRM Service: Ensure the Windows Remote Management service is running:

sc query winrm

If not running, start it:

net start winrm

3.7 Check for Errors:

  1. Open Event Viewer (eventvwr.msc)
  2. Navigate to Applications and Services Logs > Microsoft > Windows > Eventlog-ForwardingPlugin > Operational
  3. Look for Event ID 104 (successful connection) or any error events
Winlogbeat Forwarding Success

Verification

After configuration, you should see:

Troubleshooting

Common Issues:

Log Locations:

Support

If you encounter any issues during setup, don’t hesitate to contact Secure60 Support. Please provide:

Back to top