General Information
Subscription XML Details
A subscription is an XML file that describes to the operating system what event logs to collect and forward. The following subscription example demonstrates the collection of Endpoint Privilege Management events in the Application log from a source (client). The targeted sources are the Domain Computers group and the Domain Controllers group.
The following subscription example is for testing purposes as it will collect a large number of events and is not recommended for production use.
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>Application Log</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description></Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>MinLatency</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxLatencyTime>30000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="3600000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[Provider
[@Name='BeyondTrust Endpoint Privilege Management Event
Service'] and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and
((EventID >= 100 and EventID <= 116) )]]
</Select>
</Query>
</QueryList>
]]>
</Query>
<ReadExistingEvents>false</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers> O:NSG:NSD:(A;;GA;;;DC)A;;GA;;;DD)</AllowedSourceDomainComputers>
</Subscription>Subscription Details
| Node | Description |
|---|---|
| Subscription | The subscription schema. |
| SubscriptionId | The subscription’s identification. |
| Description | Describes the subscription. |
| Enabled | Specifies if the current subscription is enabled or disabled. |
| Uri | The type of event used by the subscription. |
| ConfigurationMode |
Used for the Event Delivery Optimization of subscriptions. The four valid options are:
|
| Delivery Mode | Indicates how events should be sent to the subscription manager. The mode can either be: Push (Source-Initiated) or Pull (Collector-Initiated). |
| QueryList | Used for event filtering and <Select></Select> is a XPath query. |
| Heatbeat | Used to validate the client’s connectivity with subscription. |
| ReadExistingEvents | Notifies the subscription to read all events matching the filter. |
| TransportName | Indicates that either HTTP or HTTPS will be used |
| ContentFormat | Specifies how the event data will be given to the subscription manager. |
| Locale | Language that the response is translated to. |
| LogFile | The event log file where the received events will be stored. |
| PublisherName | The name of the publisher that owns or imports the log file. |
| AllowedSourceNonDomainComputers | List the allowed non-domain computers that can receive the subscription. |
| AllowedSourceDomainComputers | List the allowed domain computers that can receive the subscription. |
WS-Management Protocol Settings
| Parameters | Description |
|---|---|
| MaxEnvelopeSizekb |
The Simple Object Access Protocol (SOAP) data size has maximum in kilobytes Default is 150 kilobytes. |
| MaxTimeoutms |
Each push request (not pull) has a maximum timeout. This value is in milliseconds. Default is 60000ms (60 seconds). |
| MaxBatchItems |
The limit of elements used in a pull response. Default for WinRM 1.1 and earlier: 20. Default for WinRM 2.0: 32000. |
| MaxProviderRequests |
The limit on concurrent requests. Default for WinRM 1.1 and earlier: 25. Default for WinRM 2.0: Unsupported/Undefined. |
WinRM Client Configuration
The following parameters configure how the WinRM client operates.
| Parameters | Description |
|---|---|
| NetworkDelayms |
A time buffer for the client computer to wait in milliseconds. Default WinRM 1.1 and earlier: 5000 . Default WinRM 2.0: 5000. |
| URLPrefix |
The type of URLPrefix used on request for HTTP or HTTPS requests. Default WinRM 1.1 and earlier: wsman. Default WinRM 2.0: wsman. |
| AllowUnencrypted |
Clients are allowed to request unencrypted traffic. Default WinRM 1.1 and earlier: false. Default WinRM 2.0: false. |
| Auth | Specifies which authentication method is allowed for the client computer. |
| DefaultPorts |
Default WinRM 1.1 and earlier: HTTP = 80, HTTPS = 443. Default WinRM 2.0: HTTP = 5985, HTTPS = 5986. |
| TrustedHosts | These trusted hosts do not need to be authenticated. |
WinRM Service Configuration
| Parameters | Description |
|---|---|
| RootSDDL |
The security descriptor for remotely accessing the listener. Default WinRM 1.1 and earlier: O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD) Default WinRM 2.0: O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;ER)S:P(AU;FA;GA;;;WD) |
| MaxConcurrentOperations |
The maximum number of concurrent operations. Default WinRM 1.1 and earlier: 100. Default WinRM 2.0: replaced with MaxConcurrentOperationPerUser. |
| MaxConcurrentOperationsPerUser |
The limit of concurrent operation for each user on the same system. Default WinRM 1.1 and earlier: Not available. Default WinRM 2.0: 15. |
| EnumerationTimeoutms |
The idle timeout between pull messages in milliseconds. Default WinRM 1.1 and earlier: 60000. Default WinRM 2.0: 60000. |
| MaxConnections |
The maximum number of simultaneous active requests that can be processed. Default WinRM 1.1 and earlier: 5. Default WinRM 2.0: 25. |
| MaxPacketRetrievalTimeSeconds |
The limit on the number of seconds to retrieve a packet. Default WinRM 1.1 and earlier: Not available. Default WinRM 2.0: 120. |
| AllowUnencrypted |
Clients are allowed to request unencrypted traffic. Default WinRM 1.1 and earlier: false. Default WinRM 2.0: false. |
| Auth | Specifies which authentication method is allowed for the client computer. |
| DefaultPorts |
Default WinRM 1.1 and earlier: HTTP = 80, HTTPS = 443. Default WinRM 2.0: HTTP = 5985, HTTPS = 5986. |
| IPv(4/6) Filter |
The IP for the WinRM service to listen on. Default WinRM 1.1 and earlier: Any. Default WinRM 2.0: Any. |
| EnableCompatibilityHttpListener |
Service listens on port 80 and port 5985. WinRM 1.1 and earlier: Not supported. |
| EnableCompatibilityHttpsListener |
Service listens on port 443 and port 5986. WinRM 1.1 and earlier: Not supported. |
| CertificateThumbprint |
The certificate thumbprint used for HTTPS. WinRM 1.1 and earlier: Not supported. |
WinRM and IIS
Windows Server 2008 R2 introduced a feature called WinRM IIS Extension. The IIS Extension allows the redirection of WinRM traffic from port 80 to port 5985 using a WinRM module. This module permits sources running WinRM 1.1 and earlier to communicate with a collector that is also using port 80 for Web traffic.
When a WinRM connection arrives on port 80, IIS investigates the incoming URL for the prefix /wsman. This URL prefix is reserved by IIS and no configuration of IIS is needed. All GET requests to the URL prefix /wsman are forwarded to WinRM.
Microsoft recommends not hosting any site with the URL prefix. WinRM IIS Extension is not installed by default and must be added through Server Manager.
WinRM Registry Keys and Values
WinRM Registry keys can be found in the following locations. We do not recommend changing the registry key; they are only listed here for verification purposes. These keys are found by viewing the following GPO Administrative Template (ADM) files located at Event Forwarding:
- EventForwarding.adm
- Windows Remote Management: windowsremotemanagement.adm
- Windows Remote Shell: WindowsRemoteShell.adm
The policies registry keys appear once a Domain Controller configures WinRM using Group Policies.
| Registry Values Description | Description |
|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1 | Subscription Manager registry key |
| HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowConfig HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\IPv4Filter HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\IPv6Filter HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowBasic HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowCredSSP HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowKerberos HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\CBTHardeningLevelStatus HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\CbtHardeningLevel HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowNegotiate | WinRM Service registry keys |
|
HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client \AllowBasic
|
WinRM Client registry keys |
| HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WINRS HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WINRS\CustomRemoteShell |
Windows Remote Shell registry keys |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMap HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener\*+HTTP HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\EventForwarding Plugin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service | WSMAN Services registry keys |
