Collector Server

[coleJ98]

Hi,

Do you recommend using Domain Controllers as windows event log collector servers?

I have implemented the WEF using your guide and its great! However we do not have a spare server to be used as a collector server. Can I use the Domain Controller as centralised logging point?

I am planning to forward Microsoft-Windows-Sysmon/Operational logs from ~1500 endpoints.
Please let know, your help is much appreciated! Thank you

[jokezone]

No, do not use a Domain Controller as a windows event log collector server. This will increase the attack surface on your DCs. If you don't have enough physical servers, look into virtualization.

[coleJ98]

No, do not use a Domain Controller as a windows event log collector server. This will increase the attack surface on your DCs. If you don't have enough physical servers, look into virtualization.

Hi @jokezone ,

Thanks for your reply. I understand that it is not good to forward the logs to a DC. Do you know what specs does the collector server needs to have inorder to receive logs from ~1500 endpoints?

Is there anyway I could stress test this before pushing out to production? Please let me know. Your help is appreciated!

[jokezone]

I found this post from someone in a similar sized environment:

https://social.technet.microsoft.com/Forums/ie/en-US/5cbd79db-936d-4267-bd06-43507e9a9f15/event-collector-server-sizing-question?forum=winservergen

As far as testing, you could deploy the event forwarding GPO gradually instead of all at once.