utils/WEC-Setup.ps1 at main · WirespeedSecurity/utils · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# WEC-Setup.ps1
# Purpose: Configure a Windows server to collect Windows Event Log events from other Windows endpoints running WEF.
# Minimum supported version: Windows Server 2016 with PowerShell 5.1

$scriptVersion = "1.0.0"

#Vars
$installDir = "$env:ProgramFiles\Wirespeed"
$logPath = Join-Path $installDir "collector.log"
$maxLogSize = 10MB

# Logging function with rotation
function Write-Log {
    param (
        [string]$Message,
        [string]$Level = "INFO"
    )
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $logEntry = "[$timestamp] [$Level] $Message"

    if (Test-Path $logPath) {
        $logSize = (Get-Item $logPath).Length
        if ($logSize -ge $maxLogSize) {
            if (Test-Path "$installDir\collector.log.bak") {
                Remove-Item -Path "$installDir\collector.log.bak" -Force
            }
            Rename-Item -Path $logPath -NewName "collector.log.bak" -Force
        }
    }
    Add-Content -Path $logPath -Value $logEntry -ErrorAction SilentlyContinue
}

# Check for admin privileges
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Write-Log "This script must be run as an administrator. Exiting." "ERROR"
    exit 1
}

try {
    Write-Log "Configuring WEC server..."
    $winrmStatus = winrm qc /q 2>&1
    if ($LASTEXITCODE -ne 0) {
        Write-Log "Failed to enable WinRM: $winrmStatus" "ERROR"
        throw "WinRM configuration failed."
    }
    Write-Log "WinRM enabled."

    Set-Service -Name wecsvc -StartupType Automatic
    Start-Service -Name wecsvc

    $wecStatus = wecutil qc /q 2>&1
    if ($LASTEXITCODE -ne 0) {
        Write-Log "Failed to enable WEC service: $wecStatus" "ERROR"
        throw "WEC service configuration failed."
    }
    Write-Log "WEC service enabled."

    $group = "Event Log Readers"
    $account = "NT AUTHORITY\Network Service"
    $isMember = Get-LocalGroupMember -Group $group -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $account }
    if (-not $isMember) {
        Add-LocalGroupMember -Group $group -Member $account -ErrorAction Stop
        Write-Log "Added $account to $group."
    } else {
        Write-Log "$account is already a member of $group."
    }

    $firewallRuleHttp = Get-NetFirewallRule -Name "WinRM HTTP for WEF" -ErrorAction SilentlyContinue
    if (-not $firewallRuleHttp) {
        New-NetFirewallRule -Name "WinRM HTTP for WEF" -DisplayName "WinRM HTTP for WEF" -Direction Inbound -Protocol TCP -LocalPort 5985 -Action Allow -ErrorAction Stop
    }
    $firewallRuleHttps = Get-NetFirewallRule -Name "WinRM HTTPS for WEF" -ErrorAction SilentlyContinue
    if (-not $firewallRuleHttps) {
        New-NetFirewallRule -Name "WinRM HTTPS for WEF" -DisplayName "WinRM HTTPS for WEF" -Direction Inbound -Protocol TCP -LocalPort 5986 -Action Allow -ErrorAction Stop
    }
    Write-Log "Firewall ports 5985 (HTTP) and 5986 (HTTPS) opened."

    $regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager"
    if (-not (Test-Path $regPath)) {
        New-Item -Path $regPath -Force | Out-Null
    }
    Set-ItemProperty -Path $regPath -Name "1" -Value "Server=http://localhost:5985/wsman/,Refresh=60" -Type String -Force
    Write-Log "Configured WEF to forward events to localhost."

    $subscriptionName = "Security and PowerShell Events"
    wecutil ds $subscriptionName 2>&1
    $subscriptionXml = @"
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>$subscriptionName</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>Collects security, PowerShell, system, and application events</Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Custom</ConfigurationMode>
<Delivery Mode="Push">
    <Batching>
        <MaxLatencyTime>60000</MaxLatencyTime>
    </Batching>
    <PushSettings>
        <Heartbeat Interval='60000'/>
    </PushSettings>
</Delivery>
<AllowedSourceDomainComputers>
    O:BAG:SYD:(A;;GA;;;WD)
</AllowedSourceDomainComputers>
<Query>
    <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*</Select>
                <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
                <Select Path="Windows PowerShell">*</Select>
                <Select Path="System">*</Select>
                <Select Path="Application">*</Select>
            </Query>
        </QueryList>
    ]]>
</Query>
<ReadExistingEvents>true</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
</Subscription>
"@
    $tempFile = "$env:TEMP\wef_subscription.xml"
    Set-Content -Path $tempFile -Value $subscriptionXml -Force
    Write-Log "Creating subscription with XML at $tempFile"
    $wecutilOutput = wecutil cs $tempFile
    if ($LASTEXITCODE -ne 0) {
        Write-Log "Failed to create WEF subscription. Wecutil output: $wecutilOutput" "ERROR"
        throw "Subscription creation failed."
    }
    Remove-Item $tempFile
    Write-Log "WEF subscription '$subscriptionName' created."
    exit 0
} catch {
    Write-Log "ERROR: $($_.Exception.Message)`nStack Trace: $($_.ScriptStackTrace)" "ERROR"
    exit 1
}