Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Collector Server #38

Open
coleJ98 opened this issue Apr 8, 2019 · 3 comments
Open

Collector Server #38

coleJ98 opened this issue Apr 8, 2019 · 3 comments

Comments

@coleJ98
Copy link

coleJ98 commented Apr 8, 2019

Hi,

Do you recommend using Domain Controllers as windows event log collector servers?

I have implemented the WEF using your guide and its great! However we do not have a spare server to be used as a collector server. Can I use the Domain Controller as centralised logging point?

I am planning to forward Microsoft-Windows-Sysmon/Operational logs from ~1500 endpoints.
Please let know, your help is much appreciated! Thank you

@jokezone
Copy link

No, do not use a Domain Controller as a windows event log collector server. This will increase the attack surface on your DCs. If you don't have enough physical servers, look into virtualization.

@coleJ98
Copy link
Author

coleJ98 commented Apr 23, 2019

No, do not use a Domain Controller as a windows event log collector server. This will increase the attack surface on your DCs. If you don't have enough physical servers, look into virtualization.

Hi @jokezone ,

Thanks for your reply. I understand that it is not good to forward the logs to a DC. Do you know what specs does the collector server needs to have inorder to receive logs from ~1500 endpoints?

Is there anyway I could stress test this before pushing out to production? Please let me know. Your help is appreciated!

@jokezone
Copy link

I found this post from someone in a similar sized environment:

https://social.technet.microsoft.com/Forums/ie/en-US/5cbd79db-936d-4267-bd06-43507e9a9f15/event-collector-server-sizing-question?forum=winservergen

As far as testing, you could deploy the event forwarding GPO gradually instead of all at once.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants