DCs still being scanned even when using forwarding server

Question

DCs still being scanned even when using forwarding server

jfacowns opened this issue 5 years ago · 3 comments

I've gone through the effort to set up Event Forwarding and have verified that it's working. I have a ton of events coming in, all is well there.

However, when I set the script to use forwarding by adjusting the $false variable to $true, I'm noticing that my DCs are still being scanned and thus the script is still taking a good amount of time to run.

 Servers           = @{
            UseForwarders   = $true # if $true skips Automatic/OnlyPDC/DC for reading logs. However it uses Automatic to deliver size of logs so keep Automatic to $true
            ForwardServer   = $ENV:COMPUTERNAME
            ForwardEventLog = 'ForwardedEvents'

            UseDirectScan   = $true
            Automatic       = $true
            OnlyPDC         = $false
            DC              = ''
        }

Any ideas what might be happening here?

I apologize if this is the wrong way to report this, this is my first time using GitHub.

Thanks very much

Answer 1 · 2019-05-22T13:41:33.000Z

Sure, just set UseDirectScan to $false. The way it works it allows you to scan forwarders, DC and file resources at the same time. You don't need that, because it only makes sense if you would like to create one big report or export everything to SQL.

 Servers           = @{
            UseForwarders   = $true # if $true skips Automatic/OnlyPDC/DC for reading logs. However it uses Automatic to deliver size of logs so keep Automatic to $true
            ForwardServer   = $ENV:COMPUTERNAME
            ForwardEventLog = 'ForwardedEvents'

            UseDirectScan   = $false
            Automatic       = $true
            OnlyPDC         = $false
            DC              = ''
        }

Answer 2 · 2019-05-22T15:24:47.000Z

Btw, did you use the script to setup forwarding that I've provided with PSWinReporting? Or did it by hand? The script is basically 1 run and fix :) It only requires manual permissions to access DC logs.

Answer 3 · 2019-05-22T15:34:32.000Z

I did the forwarding part by hand, mostly because I wanted to teach myself how to set that up.

Also, your suggestion worked, the run time for 1 hours worth of logs has gone from 45-50 minutes down to about 50 seconds when gathering the logs locally from my event collector server.

Thank you so much for this, it's truly a fantastic resource and idea. I've learned a ton from it also. Much appreciated!