Universal Remote Event Log Configuration Script for Windows Server 2008–2025. Automates user creation, group membership (Event Log Readers & DCOM), Firewall rules, WinRM/RemoteRegistry services, Log sizing (100MB), and UAC settings (LocalAccountTokenFilterPolicy) for agentless log collection. Supports strict IP filtering for security.

Universal-LogSetup.ps1

<#
.SYNOPSIS
    Universal Windows Server Log Config (2008-2025 Compatible)
    Language: English / Turkish (ASCII)
    Features: User Setup + Group Permissions + Firewall + Log Size Increase
    Note: User is VISIBLE everywhere.
#>

param (
    [Parameter(Mandatory=$true, Position=0)]
    [string]$UserName,

    [Parameter(Mandatory=$true, Position=1)]
    [string]$Password,

    [Parameter(Mandatory=$false, Position=2)]
    [string]$CollectorIP = $null
)

$ErrorActionPreference = "Continue"

Write-Host "--- Configuration Starting / Yapilandirma Basliyor ($UserName) ---" -ForegroundColor Cyan

# 1. USER OPERATIONS
Write-Host "[1/6] User operations / Kullanici islemleri..." -ForegroundColor Yellow

$UserCheck = net user $UserName 2>&1
if ($UserCheck -match "The user name could not be found" -or $UserCheck -match "bulunamad") {
    Write-Host "   -> Creating new user / Yeni kullanici olusturuluyor..."
    $proc = Start-Process "net.exe" -ArgumentList "user $UserName $Password /add /expires:never /passwordchg:no /comment:`"Log Reader Account`"" -NoNewWindow -Wait -PassThru
}
else {
    Write-Host "   -> User found, updating password / Kullanici bulundu, sifre guncelleniyor..."
    $proc = Start-Process "net.exe" -ArgumentList "user $UserName $Password" -NoNewWindow -Wait -PassThru
}

# Password Never Expires (PowerShell WMI - 2008 & 2025 Compatible)
try {
    $wmiUser = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True AND Name='$UserName'" -ErrorAction SilentlyContinue
    if ($wmiUser) {
        $wmiUser.PasswordExpires = $false
        $wmiUser.Put() | Out-Null
        Write-Host "   -> Password set to 'Never Expire' / Sifre suresi sinirsiz yapildi."
    }
} catch {
    Write-Host "   -> Note: Could not set password expiration automatically."
}

# 2. GROUP MEMBERSHIPS
Write-Host "[2/6] Setting group permissions / Grup yetkileri veriliyor..." -ForegroundColor Yellow
$Groups = @("Event Log Readers", "Distributed COM Users")

foreach ($Group in $Groups) {
    $GroupCheck = net localgroup "$Group" 2>&1
    if ($GroupCheck -notmatch "System error 1376" -and $GroupCheck -notmatch "ad? bulunamad?") {
        net localgroup "$Group" "$UserName" /add 2> $null
        if ($LASTEXITCODE -eq 0) {
             Write-Host "   -> Added to '$Group' / '$Group' grubuna eklendi." -ForegroundColor Green
        }
    } else {
        Write-Host "   -> WARNING: Group '$Group' not found / Grup bulunamadi." -ForegroundColor Red
    }
}

# 3. REGISTRY (UAC Token Filter)
Write-Host "[3/6] Setting UAC Remote Access / Uzaktan erisim kilidi aciliyor..." -ForegroundColor Yellow
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$RegName = "LocalAccountTokenFilterPolicy"

if (-not (Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }

Set-ItemProperty -Path $RegPath -Name $RegName -Value 1 -Type DWORD -Force
Write-Host "   -> Registry updated (LocalAccountTokenFilterPolicy = 1)." -ForegroundColor Green


# 4. SERVICES
Write-Host "[4/6] Starting Services / Servisler baslatiliyor..." -ForegroundColor Yellow

# WinRM
cmd /c "winrm quickconfig -q" | Out-Null
Write-Host "   -> WinRM configured."

# Remote Registry
sc.exe config RemoteRegistry start= auto
sc.exe start RemoteRegistry
Write-Host "   -> Remote Registry started."


# 5. FIREWALL
Write-Host "[5/6] Configuring Firewall / Firewall kurallari duzenleniyor..." -ForegroundColor Yellow

$RuleGroups = @("Remote Event Log Management", "Remote Service Management", "Windows Remote Management")

foreach ($RuleGroup in $RuleGroups) {
    if ($CollectorIP) {
        netsh advfirewall firewall set rule group="$RuleGroup" new enable=yes remoteip="$CollectorIP" | Out-Null
    } else {
        netsh advfirewall firewall set rule group="$RuleGroup" new enable=yes | Out-Null
    }
}

# Port 5985 Backup Rule
if ($CollectorIP) {
    netsh advfirewall firewall add rule name="WinRM-Custom-Port-5985" dir=in action=allow protocol=TCP localport=5985 remoteip="$CollectorIP" profile=any | Out-Null
} else {
    netsh advfirewall firewall add rule name="WinRM-Custom-Port-5985" dir=in action=allow protocol=TCP localport=5985 profile=any | Out-Null
}
Write-Host "   -> Firewall rules applied / Kurallar uygulandi."

# 6. LOG SIZE INCREASE (Best Practice)
Write-Host "[6/6] Increasing Log Sizes to 100MB / Log boyutlari arttiriliyor..." -ForegroundColor Yellow
# 100MB = 104857600 bytes
$LogSize = 104857600 

try {
    # wevtutil is available on Server 2008 and later
    cmd /c "wevtutil sl Security /ms:$LogSize"
    cmd /c "wevtutil sl System /ms:$LogSize"
    cmd /c "wevtutil sl Application /ms:$LogSize"
    Write-Host "   -> Security, System, Application logs set to 100MB." -ForegroundColor Green
} catch {
    Write-Host "   -> WARNING: Could not set log sizes."
}

Write-Host "--- COMPLETED / ISLEM TAMAMLANDI ---" -ForegroundColor Green

TR: Windows Server 2008 - 2025 arası tüm sürümler (Workgroup/Domain) için Merkezi Log Toplama (SIEM/WinCollect) hazırlık scripti. Log kullanıcısını oluşturur, gerekli gruplara (Event Log Readers, DCOM) ekler, Firewall, Servis ve UAC (LocalAccountTokenFilterPolicy) ayarlarını otomatik yapılandırır.

EN: Universal Remote Event Log Configuration Script for Windows Server 2008-2025. Automates user creation, group membership (Event Log Readers), Firewall rules, WinRM/RemoteRegistry services, and UAC settings for agentless log collection.