General Information

Subscription XML Details

A subscription is an XML file that describes to the operating system what event logs to collect and forward. The following subscription example demonstrates the collection of Privilege Management events in the Application log from a source (client). The targeted sources are the Domain Computers group and the Domain Controllers group.

The following subscription example is for testing purposes as it will collect a large number of events and is not recommended for production use.

Subscription XML
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>Application Log</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description></Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>MinLatency</ConfigurationMode>
<Delivery Mode="Push">
	<Batching>
		<MaxLatencyTime>30000</MaxLatencyTime>	
	</Batching>
	<PushSettings>
		<Heartbeat Interval="3600000"/>
	</PushSettings>
</Delivery>
<Query>
<![CDATA[
	<QueryList>
		<Query Id="0" Path="Application">
		    <Select Path="Application">*[System[Provider
                  [@Name='BeyondTrust Privilege Management Event 
		   Service'] and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and 
                  ((EventID &gt;= 100 and EventID &lt;= 116) )]]
		   </Select>
		</Query>
	</QueryList>
]]>
</Query>
<ReadExistingEvents>false</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers> O:NSG:NSD:(A;;GA;;;DC)A;;GA;;;DD)</AllowedSourceDomainComputers>
</Subscription>

Subscription Details

Node Description
Subscription The subscription schema.
SubscriptionId The subscription’s identification.
Description Describes the subscription.
Enabled Specifies if the current subscription is enabled or disabled.
Uri The type of event used by the subscription.
ConfigurationMode

Used for the Event Delivery Optimization of subscriptions. The four valid options are:

  • Normal
  • MinLatency
  • MinBandwidth
  • Custom
Delivery Mode Indicates how events should be sent to the subscription manager. The mode can either be: Push (Source-Initiated) or Pull (Collector-Initiated).
QueryList Used for event filtering and <Select></Select> is a XPath query.
Heatbeat Used to validate the client’s connectivity with subscription.
ReadExistingEvents Notifies the subscription to read all events matching the filter.
TransportName Indicates that either HTTP or HTTPS will be used
ContentFormat Specifies how the event data will be given to the subscription manager.
Locale Language that the response is translated to.
LogFile The event log file where the received events will be stored.
PublisherName The name of the publisher that owns or imports the log file.
AllowedSourceNonDomainComputers List the allowed non-domain computers that can receive the subscription.
AllowedSourceDomainComputers List the allowed domain computers that can receive the subscription.

WS-Management Protocol Settings

Parameters Description
MaxEnvelopeSizekb

The Simple Object Access Protocol (SOAP) data size has maximum in kilobytes
Default is 150 kilobytes.

MaxTimeoutms Each push request (not pull) has a maximum timeout. This value is in milliseconds.
Default is 60000ms (60 seconds).
MaxBatchItems

The limit of elements used in a pull response.

Default for WinRM 1.1 and earlier: 20.

Default for WinRM 2.0: 32000.

MaxProviderRequests The limit on concurrent requests.
Default for WinRM 1.1 and earlier: 25 .
Default for WinRM 2.0: Unsupported/Undefined.

WinRM Client Configuration

The following parameters configure how the WinRM client operates.

Parameters Description
NetworkDelayms

A time buffer for the client computer to wait in milliseconds.

Default WinRM 1.1 and earlier: 5000 .

Default WinRM 2.0: 5000.

URLPrefix

The type of URLPrefix used on request for HTTP or HTTPS requests.

Default WinRM 1.1 and earlier: wsman.

Default WinRM 2.0: wsman.

AllowUnencrypted

Clients are allowed to request unencrypted traffic.

Default WinRM 1.1 and earlier: false.

Default WinRM 2.0: false.

Auth Specifies which authentication method is allowed for the client computer.
DefaultPorts

Default WinRM 1.1 and earlier: HTTP = 80, HTTPS = 443.

Default WinRM 2.0: HTTP = 5985, HTTPS = 5986.

TrustedHosts These trusted hosts do not need to be authenticated.

WinRM Service Configuration

Parameters Description
RootSDDL

The security descriptor for remotely accessing the listener.

Default WinRM 1.1 and earlier:
O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
Default WinRM 2.0:
O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;ER)S:P(AU;FA;GA;;;WD)

MaxConcurrentOperations

The maximum number of concurrent operations.

Default WinRM 1.1 and earlier: 100.
Default WinRM 2.0: replaced with MaxConcurrentOperationPerUser.

MaxConcurrentOperationsPerUser

The limit of concurrent operation for each user on the same system.

Default WinRM 1.1 and earlier: Not available.

Default WinRM 2.0: 15.

EnumerationTimeoutms

The idle timeout between pull messages in milliseconds.

Default WinRM 1.1 and earlier: 60000.

Default WinRM 2.0: 60000.

MaxConnections

The maximum number of simultaneous active requests that can be processed.

Default WinRM 1.1 and earlier: 5.

Default WinRM 2.0: 25.

MaxPacketRetrievalTimeSeconds

The limit on the number of seconds to retrieve a packet.

Default WinRM 1.1 and earlier: Not available.

Default WinRM 2.0: 120.

AllowUnencrypted

Clients are allowed to request unencrypted traffic.

Default WinRM 1.1 and earlier: false.

Default WinRM 2.0: false.

Auth Specifies which authentication method is allowed for the client computer.
DefaultPorts

Default WinRM 1.1 and earlier: HTTP = 80, HTTPS = 443.

Default WinRM 2.0: HTTP = 5985, HTTPS = 5986.

IPv(4/6) Filter

The IP for the WinRM service to listen on.

Default WinRM 1.1 and earlier: Any.

Default WinRM 2.0: Any.

EnableCompatibilityHttpListener

Service listens on port 80 and port 5985.

WinRM 1.1 and earlier: Not supported.

EnableCompatibilityHttpsListener

Service listens on port 443 and port 5986.

WinRM 1.1 and earlier: Not supported.

CertificateThumbprint

The certificate thumbprint used for HTTPS.

WinRM 1.1 and earlier: Not supported.

WinRM and IIS

Windows Server 2008 R2 introduced a feature called WinRM IIS Extension. The IIS Extension allows the redirection of WinRM traffic from port 80 to port 5985 using a WinRM module. This module permits sources running WinRM 1.1 and earlier to communicate with a collector that is also using port 80 for Web traffic.

When a WinRM connection arrives on port 80, IIS investigates the incoming URL for the prefix /wsman. This URL prefix is reserved by IIS and no configuration of IIS is needed. All GET requests to the URL prefix /wsman are forwarded to WinRM.

Microsoft recommends not hosting any site with the URL prefix. WinRM IIS Extension is not installed by default and must be added through Server Manager.

WinRM Registry Keys and Values

WinRM Registry keys can be found in the following locations. We do not recommend changing the registry key; they are only listed here for verification purposes. These keys are found by viewing the following GPO Administrative Template (ADM) files located at Event Forwarding:

  • EventForwarding.adm
  • Windows Remote Management: windowsremotemanagement.adm
  • Windows Remote Shell: WindowsRemoteShell.adm

The policies registry keys appear once a Domain Controller configures WinRM using Group Policies.

Registry Values Description Description
HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1 Subscription Manager registry key
HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowConfig HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\IPv4Filter HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\IPv6Filter HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowBasic HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowCredSSP HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowKerberos HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\CBTHardeningLevelStatus HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\CbtHardeningLevel HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowNegotiate WinRM Service registry keys

HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client \AllowBasic
HKLM \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client \AllowUnencryptedTraffic
HKLM \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client \AllowCredSSP
HKLM \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client \AllowDigest
HKLM \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client \AllowKerberos
HKLM \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client \AllowNegotiate

WinRM Client registry keys
HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WINRS HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WINRS\CustomRemoteShell
Windows Remote Shell registry keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMap HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener\*+HTTP HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\EventForwarding Plugin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service WSMAN Services registry keys