{
	"id": "2b998b5a-3383-42b9-964a-5c20fa794d4b",
	"created_at": "2026-04-06T00:11:08.51809Z",
	"updated_at": "2026-04-10T13:11:25.259584Z",
	"deleted_at": null,
	"sha1_hash": "b9a5bbe48384384056ce4d3329e8addfc14a1185",
	"title": "Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1434726,
	"plain_text": "Monitoring what matters - Windows Event Forwarding for\r\neveryone (even if you already have a SIEM.)\r\nBy kexugit\r\nArchived: 2026-04-05 13:05:13 UTC\r\n   Last week at Ignite Australia I presented a session (available here ) on something I don't think gets talked about\r\nenough - Windows Event Forwarding, or WEF.  (Edit: I've also since done an depthMicrosoft Virtual Academy\r\nsessionon Event Forwarding too! ).\r\nOften when we engage for an Incident Response, we find the customer :\r\nHas no centralized logging\r\nAre not monitoring endpoints/member servers (often just DCs)\r\nSpam logs with extra data\r\nAre not logging key events\r\nLogs roll too quickly\r\nThose with centralized logging still missing data, takes too long for IT admins to get reports\r\nIn Internet speak :\r\nWEF's been part of the operating system for a while now, but not many people take advantage of it. Many people\r\nappear to not even be aware of it, as evidenced by this highly scientific poll.\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 1 of 21\n\nWEF is not only free and built-in, it has some nice features when configured appropriately :\r\nWorks nicely as a compliment to SCOM or SIEM products.\r\nCan dramatically increase your overall visibility in the environment. Frequently desktops aren't part of the\r\ncentralized monitoring due to licensing costs - WEF can be setup (for free) to collect the key events from\r\nthe desktops and then be forwarding on to the SIEM.\r\nConfigured via GPO (easy!)\r\nUses Windows Remote Management (Kerberos) to prevent man in the middle\r\nCan (and should be) targeted to specific events\r\nNative evtx (xml) log format\r\n“Push” log mode – less attack surface than adding a monitoring agent or account to a widely privileged\r\ngroup\r\nIT admins control their own logging destiny - AD guys looking to track down a certain service account\r\ndon't have to wait on the security team.\r\nSetting WEF up is really easy too. Prerequisites are essentially a server and a GPO. To collect security events,\r\nwe'll also need to grant the local Network Service principal rights to read that log. This is just the Network Service\r\non the machine itself, so it's not a wide privilege throughout the domain. The WinRM service will also need to be\r\nstarted on all the clients in the domain - just started though, not configured. This is key, as just starting the WinRM\r\nservice doesn't leave it in a listening state, versus a quick config of the service would make it listening.\r\nRecommendations for the collector server would be to use 2012R2, although you can even do this on Windows 7\r\nif you have licensing restraints. The log files will be pretty small if you're just collecting targeted/critical events,\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 2 of 21\n\nso you likely won't need much above and beyond your typical VM drive size but you may want to bump up the\r\nmemory in the box a bit to avoid race conditions.\r\nOn your collector server, fire up an administrative command prompt (you do have UAC enabled, right? 🙂 ) and\r\ntype in winrm qc. You'll then be asked two important questions - do you want the WinRM service to start\r\nautomatically and do you want to poke a hole in the firewall for WinRM. I'd recommend controlling the firewall\r\nwith a GPO as well, but go ahead and answer yes to both of these.\r\nWhen that created the WinRM listener, it also created a Service Principal Name for Kerberos authentication to the\r\nservice. If something goes flakey with WEF, this is usually where it happens. If the SPNs aren't right, Kerberos\r\nauthentication can't happen which makes Event Forwarding not work. You may also have noticed the listener is on\r\nHTTP ://* - WinRM is at its core HTTP, so while the SPN is WSMAN for WinRM, if you try to install WEF on a\r\nserver that already has an HTTP SPN Windows Event Forwarding will fail as if it's a duplicate SPN. If you're\r\ncurious, you can check your SPNs out via attribute editor.\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 3 of 21\n\nOnce WinRM is setup (and hopefully after you've set the firewall via GPO) you can enable Event Forwarding.\r\nOpen up Event Viewer on the Collector and navigate to the area called \"Subscriptions\" that you've probably never\r\nclicked on before. 🙂 If you haven't clicked on it before, you'll get prompted with this question:\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 4 of 21\n\nWe do need/want the Windows Event Collector to start up automatically with the computer, so go ahead and click\r\nyes on that.\r\nAnd that's it, you've configured a Windows Event Collector! The next trick is to get things report to it.\r\nThe best way to do that is via GPO. First things first, we'll need to give the local Network Service principal rights\r\nto read the security log. To make sure we don't break anything, run the following command on a\r\nserver/workstation in your environment:\r\n wevtutil gl security\r\nThat will spit out the information about the Security Event Log, as shown below. The weird \"O:BAG:SYD:\" line\r\nis where the permissions on the log are stored. Copy out that line from the O through the last parenthesis and stick\r\nit into Notepad. If yours doesn't have (A;;0x1;;;NS) on the end like mine does, append that in Notepad.\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 5 of 21\n\nCopy the whole O:BAG:SYD line from Notepad, as we'll need it in the GPO. Create a new GPO in your domain\r\nto point the systems you want to monitor at the collector server - the same GPO can be used for both member\r\nsystems and Domain Controllers in your environment, unless you want to point them at different collectors for\r\ndelegation reasons.\r\nYou'll need to configure two settings :\r\nComputer\u003ePolicies\u003eAdmin Templates\u003eWindows Components\u003eEvent Forwarding\u003eConfigure target\r\nsubscription manager\r\nThis will need to be populated with the address of your collector server in this format :\r\nServer=https://fqdnofsubscriptionserver:5985/wsman/SubscriptionManager/WEC,Refresh=60\r\nThe refresh interval on the end indicates how often clients should check in to see if new subscriptions are there for\r\nthem. 60 seconds might be a bit aggressive in production, but it helps out a lot when you're setting things up and\r\ntesting.\r\nComputer\u003ePolicies\u003eAdmin Templates\u003eWindows Components\u003eEvent Log Service\u003eSecurity\u003e Configure log\r\naccess\r\nThis is where you'll need to paste your O:BAG:SYD line from Notepad. Remember this is an authoritative setting,\r\nso if you had permissions set some other way on a system in your environment this would replace them.\r\nWhen you're done, your GPO should look like this:\r\nNow any system that has this GPO will know to check into the web service running on the Windows Event\r\nCollector to see if there are any subscriptions for it. Computers only send events when they get a subscription\r\ntelling them to do so.\r\nSo what should you monitor?\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 6 of 21\n\nYou absolutely could configure WEF to collect all the security logs in your domain - and maybe if you don't have\r\nany other centralized logging in your domain you should do this for forensic reasons - but the real value of WEF is\r\ntargeted alerts, filtering out what really matters. This is also where WEF is a great compliment to a SIEM you\r\nalready have in your environment - let the SIEM do the heavy lifting of collecting every single event and use WEF\r\nfor targeted visibility, and use WEF to get important security events from workstations/member servers in your\r\nenvironment you may not have covered by the SIEM. The SIEM can then collect them from the WEF server, still\r\nproviding you with the \"single pane of glass\" view.\r\nThe five basic things I think everyone should start with for monitoring in their domain (if they aren't already) are :\r\nSecurity Event Logs being cleared\r\nHigh value groups like Domain Admins being Changed\r\nLocal administrator groups being changed\r\nLocal users being created or deleted on member systems\r\nNew Services being installed, particularly on Domain Controllers (as this is often an indicator of malware\r\nor lateral movement behavior.)\r\nConfiguring subscriptions can be done via the GUI (easy mode) or via XPath filters (lots more flexibility.) The\r\nsettings for the subscriptions do matter though, as this is where you configure the logs to be in \"push\" mode versus\r\n\"pull.\"\r\nLet's configure the Security Event log cleared alert via the GUI:\r\nRight click on Subscriptions, then select Create Subscription. We'll need to give the subscription a name and pick\r\n\"Source Computer Initiated\" as that's what makes it \"push.\"\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 7 of 21\n\nSelect Computer Groups next, as this will define which computers send us the events we're interested in. Since we\r\nwant to know whenever anyone anywhere clears a security log, we're going to use the two built-in/auto populating\r\ngroups in AD, \"Domain Controllers\" and \"Domain Computers.\"\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 8 of 21\n\nNext we click Select Events to define what we're monitoring. This alert is pretty straight forward, we're looking\r\nfor Event ID 1102 in the Security log, so we can do it all via the GUI. 🙂\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 9 of 21\n\nIf we click on the XML tab we can see what the XPath filter we just created looks like.\r\nClick okay on that and then click Advanced on the main page. We want to set the subscription to Minimize\r\nLatency, to make sure we get events as soon as possible and also to help it catch up if we miss any.\r\nYou can troubleshoot that things have actually checked in by checking the Source Computers column on the main\r\nSubscriptions page :\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 10 of 21\n\nYou can also check the Event Forwarding Plugin Operational log under Applications and Services on the client to\r\nmake sure everything is happy. This is where you'll see descriptive errors if something has gone awry with\r\nKerberos or Firewalls.\r\nClick okay and you've got a subscription. Find a low-value test VM, clear the Security log and see if you get an\r\nalert. 🙂\r\nConfigure those 5 events with cut and paste for two commands? Yes you can!\r\nThanks to Australian PFE Russell Tomkins, you can do just that. Below are two XML files that contain the\r\nappropriate subscriptions for Domain Computers and Domain Controllers. The subscriptions here are maybe a bit\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 11 of 21\n\nwider than you want in your production domain to start with, as it's collecting services installing on workstations\ntoo, but give it a go. We'll want that data if we ever have to do an IR for you.\nTo import the XML files, save them to a directory on the server and then run the following commands from the\nsame directory on your Windows Event Collector.\nwecutil cs DomainComputers.xml\nwecutil cs DomainControllers.xml\nDomainComputers.xml\nDomain Computer EventsSourceInitiatedImportant Domain Controller EventsTruehttps://schemas.microsoft.com/wbem/wsman/1/windows/EventLogMinLatency \u003c![CDATA[ *[EventData[Data[@Name='TargetUserName'] and (Data='Administrators')]]\nand\n*[System[(EventID='4732') or (EventID='4733')]]\n\n*[System[(EventID='4720') or (EventID='4726')]]\n*[System[(EventID='1102')]]\n]]\u003e\ntruehttpRenderedTextForwardedEventsO:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;DD)\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\nPage 12 of 21\n\nDomainControllers.xml\nDomain Controller EventsSourceInitiatedImportant Domain Controller EventsTruehttps://schemas.microsoft.com/wbem/wsman/1/windows/EventLogMinLatency \u003c![CDATA[ *[System[(EventID='7045')]]\n(*[EventData[Data[@Name=\"TargetUserName\"] = \"Administrators\"]]) or\n(*[EventData[Data[@Name=\"TargetUserName\"] = \"Domain Admins\"]]) or\n(*[EventData[Data[@Name=\"TargetUserName\"] = \"Schema Admins\"]]) or\n(*[EventData[Data[@Name=\"TargetUserName\"] = \"Enterprise Admins\"]]) or\n(*[EventData[Data[@Name=\"TargetUserName\"] = \"Print Operators\"]]) or\n(*[EventData[Data[@Name=\"TargetUserName\"] = \"Server Operators\"]]) or\n(*[EventData[Data[@Name=\"TargetUserName\"] = \"Backup Operators\"]])\nand\n*[System[(EventID='4732') or (EventID='4733') or (EventID='4756') or (EventID='4757') or (EventID='4728') or\n(EventID='4729')]]\n\n*[System[(EventID='1102')]]\n]]\u003e\nTruehttpRenderedTextForwardedEventsO:NSG:NSD:(A;;GA;;;DD) https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\nPage 13 of 21\n\nIf you have more than one domain, you'll need to specify the SIDs of Domain Computers/Domain Controllers in\r\nthe \u003cAllowedSourceDomainComputers\u003e line as well as the DC (Domain Computers) and DD (Domain Controlls)\r\nSDDLs that are in there.\r\nHope this helps. Be sure to check out my post on tracking Special Groups with WEF and look forward to more\r\nthings you can do with WEF in future blog posts! Happy Logging!\r\n-Jessica @jepayneMSFT\r\nAnonymous\r\nNovember 23, 2015\r\nThe comment has been removed\r\nAnonymous\r\nNovember 24, 2015\r\nThe video of the presentation has now been posted, well worth watching.\r\nhttps://channel9.msdn.com/Events/Ignite/Australia-2015/INF327\r\nAnonymous\r\nNovember 26, 2015\r\nLateral Movement - the moving of an attacker from one compromised host throughout your domain until\r\nthey\r\nAnonymous\r\nNovember 30, 2015\r\nSounds like a great session!\r\nAnonymous\r\nDecember 02, 2015\r\nThanks again Jessica. I watched this at Ignite and watched the recording to refresh.\r\nAnonymous\r\nDecember 24, 2015\r\nHallo - is this traffic sent plaintext across the network?\r\nAnonymous\r\nDecember 24, 2015\r\nThe comment has been removed\r\nAnonymous\r\nDecember 28, 2015\r\nHey Jessica. I've been using this method since you led a POP-SLAM engagement a few months back. Glad\r\nto see you blogging!\r\nI wanted to throw this in for people interested. I started to work on a PowerShell module for Event\r\nSubscriptions, but it still needs a lot of work. It's basically a wrapped for wecutil, but was made with\r\nautomation in mind.\r\nhttps://github.com/davidhowell-tx/PS-WinEventSubscriptions\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 14 of 21\n\nI also have a script posted that uses the module. It queries AD for Domain Admins membership and\r\nupdates a subscription with the members' SamAccountName for monitoring.\r\nAnonymous\r\nDecember 28, 2015\r\nHi, Jessica Payne from Microsoft Enterprise Cybersecurity Group's Global Incident Response and\r\nRecovery\r\nAnonymous\r\nDecember 30, 2015\r\nHi David - glad you've been able to put the SLAM stuff into practice! You guys were super fun. (Embrace\r\nthe 500 account!)\r\nSpoiler alert for the posts ahead, there's a Powershell logging module at the end of it that ties into the\r\nPowerBI dashboards - the fact you made your own is super cool too!\r\nKeep up the good work and innovation. :)\r\n-Jessica\r\nAnonymous\r\nJanuary 11, 2016\r\nThis is really handy and I'm in the middle of implementing it however, we use group policy preferences to\r\nchange the local admins group so everytime a machine boots up, it changes the membership of the group\r\nand forwards and event, meaning we have 300 events every morning just from powering up. is there\r\nanyway to filter xpath to not monitor the groups added to local admin?\r\nAnonymous\r\nJanuary 11, 2016\r\nMore great stuff from you, Jessica, thanks so much! I'm wondering if there's a benefit or negative to\r\ncreating separate subscriptions vs. combining the filters into one event in terms of processing or traffic for\r\neither the source or destination servers? For example, if I also want to monitor the special groups (I do!) I\r\ncould create a new subscription or I could modify the existing subscriptions with the additional filter\r\nelements. Is one solution empirically \"better\" or \"worse\" than another, or is it purely dealer's choice?\r\nAnonymous\r\nJanuary 12, 2016\r\nTom - there's a way to filter based on who is doing the change, GPO should be done by SYSTEM so you\r\ncould \"suppress\" those (knowing you might miss something.) The dashboard at the end of the series should\r\nhelp too. Are you doing adds or Restricted Groups? I'm a bigger fan of Restricted Groups.\r\n-Jessica\r\nAnonymous\r\nJanuary 12, 2016\r\nTony - I like to use different subscriptions so I can track if something goes wrong in the Event Forwarding\r\nPlugin operational log, but you can also use one big \"security stuff\" or \"operational stuff\" subscription for\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 15 of 21\n\nsimplicity too. So sort of your choice? :)\r\n-Jessica\r\nAnonymous\r\nJanuary 15, 2016\r\nWe're adding a security group of I.T. staff to the local admins group by GPP. Not sure how restricted\r\ngroups work but if you could point me in the direction of a good article I can certain start researching.\r\nAnonymous\r\nMay 18, 2016\r\nThe comment has been removed\r\nAnonymous\r\nMay 20, 2016\r\nThe comment has been removed\r\nAnonymous\r\nMay 20, 2016\r\nSuppress Path=\"Security\"\u003e*[EventData[Data[@Name=\"SubjectUserSid\"] = \"S-1-5-18\"]]\r\n\u003c/Suppress\r\nAnonymous\r\nJanuary 25, 2016\r\nHi, The Captain here from Microsoft Enterprise Cybersecurity Group's Global Incident Response and\r\nAnonymous\r\nFebruary 23, 2016\r\nJessica - great post and glad this topic seems to be getting more coverage. I have a OneNote notebook full\r\nof references trying to piece together a best practice approach.\r\nIn all my research it would appear you can create an event log on the collector server other than the\r\nForwarded Events, but I never seen a post on how. The reasoning behind this would be to push domain\r\ncontroller logs at one log with the corresponding file on a dedicated and performant disk (we generate\r\naround 750GB per day) and create other event logs for member servers and clients (again spreading out the\r\ndisk IO load). Is this possible and if so how?\r\nThanks\r\nPaul\r\nAnonymous\r\nFebruary 23, 2016\r\nPaul - yes you can do that! It was hard to get working reliably but we got some help from MSIT on how\r\nthey do it and have it being tested at some customers now. Should be part of an upcoming post once we\r\nmake sure it is still reliable at 500k+ endpoints.\r\nAnonymous\r\nMarch 10, 2016\r\nThe comment has been removed\r\nAnonymous\r\nMay 23, 2016\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 16 of 21\n\nFor those wishing to create custom event logs, Russell Tomkins has blogged about the way\r\nwe do it inside of Microsoft :\r\nhttps://blogs.technet.microsoft.com/russellt/2016/05/18/creating-custom-windows-event-forwarding-logs/\r\nAnonymous\r\nMarch 09, 2016\r\nHi Jessica, I am looking forward to implementing WEF in my current company after seeing this\r\npresentation. We have been reviewing SIEM providers for sometime now and it's a minefield for sure. I\r\nagree with some of your comments from the presentation that one needs to be clear about the type of events\r\nthat are being logged. I believe there are a key list that everyone should focus as essential but each\r\ncompany should know what's important to them beyond that. Can you recommend how to create a\r\ndashboard for the events?\r\nAnonymous\r\nMay 18, 2016\r\nThanks for this article Jessica, it is extremely helpful.This is simple but I stumbled so I thought I would\r\nshare to help anybody else doing this.I glossed over the whole “WinRM must be started” part so my first\r\nattempt did nothing.Add this to your GPO to get it up and running:Computer \u003e Policies \u003e Windows\r\nSettings \u003e Security Settings \u003e System Services \u003e Windows Remote Management (WS-Management)\r\nStartup = Automatic@dconsec\r\nAnonymous\r\nMay 24, 2016\r\nHi Jessica,I had a similar issue with HTTP SPN.And I had concluded that to make a denial of service of\r\nEvent Forwarding you just have to do a setspn...What's your thoughts on that ?How do you monitor that\r\nclients are still sending events to collector ?RegardsGreg\r\nAnonymous\r\nJune 30, 2016\r\nThanks for this post. Very easy to follow. Thank you! One thing -- The tag in the DomainComputers.xml\r\nsection looks like it might be incorrect as it mentions domain controllers.\r\nAnonymous\r\nJuly 22, 2016\r\nThank you so much, Jessica! You just fixed the last issue I was having setting this up.The MSDN docs\r\ndon't mention the access restrictions on the Security logfile, so I was a bit confused when some of our\r\nservers didn't send their Security logs (but others did, go figure).So that other people can Google the error I\r\nwas having now to find this article: Event 101, Eventlog-ForwardingPluginStatus SubscribePartialSuccess\r\nreturned status data which included:\r\nAnonymous\r\nAugust 23, 2016\r\nThe comment has been removed\r\nAnonymous\r\nSeptember 15, 2016\r\nHi David - check out my reply to Joel for a fix, this is a known issue between versions.\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 17 of 21\n\nAnonymous\r\nSeptember 13, 2016\r\nThe comment has been removed\r\nAnonymous\r\nSeptember 15, 2016\r\nThere's an error in the XML schema for 2012R2 since it was made on 2008R2. Best way to ensure it\r\nimports is to make a new subscription via GUI and export using :wecutil gs \"%subscriptionname%\"\r\n/f:xml \u003e\u003e\"C:\\Temp%subscriptionname%.xml\"You can then use that one as a template and just\r\nchange the XPath portion.\r\nAnonymous\r\nNovember 10, 2016\r\nThis isn't working for me still Jessica. I've created the subscription on a 2012R2 host,\r\nexported it, but then can't import it again (even if i dont change the exported file!). Any\r\nideas?\r\nAnonymous\r\nDecember 13, 2016\r\nDoes the import display any error? -Jessica\r\nAnonymous\r\nOctober 07, 2016\r\nThe comment has been removed\r\nAnonymous\r\nOctober 20, 2016\r\nThanks for the article. Works fine, however occasionally the source computers will turn into an inactive\r\nstate for apparantly no reason. See my reply to a thread about this here:\r\nhttps://social.technet.microsoft.com/Forums/en-US/3d62d46b-33e7-4db6-b672-8555fd6a9f35/event-log-forwarding-subscription-is-unsubscribed\r\nAnonymous\r\nNovember 17, 2016\r\nWhat about environments where there are thousands of users forwarding events per day, is there built in\r\noptions for load balancing between multiple WEC servers?\r\nAnonymous\r\nDecember 13, 2016\r\nLoad balancing in WEF/WEC (in a supported way) is achieved by putting multiple collectors in the\r\nGPO - then it will send a copy of the event to each server, while maintaining the \"bookmark\" of\r\nwhich was sent last. While network load balancing solutions are possible, due to the bookmark\r\nmanner or operation it will have the same net result of sending a copy to each server leading to\r\nduplicates. -Jessica\r\nAnonymous\r\nJanuary 30, 2017\r\nWe're attempting this via network load balancing right now. We also have a single virtual\r\naddress (VIP + FQDN + SPN) which fronts four event collectors on the backend.If the setup\r\nis source-initiated, I'm hoping that this wont mean that the backend servers would get\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 18 of 21\n\nduplicate events, since any bookmark being maintained by each client would only point to\r\nthe virtual address.@Jessica - is this correct? is one bookmark maintained by the client for\r\nthe last event sent, or is it maintained per last event sent to each server?\r\nAnonymous\r\nAugust 07, 2017\r\ndid you get network load balancing working ?\r\nAnonymous\r\nJanuary 12, 2017\r\nHi Jessica, I decided to roll with WEF after reading this post! Any ideas as to what would give an eventid\r\nof 102 with error 5004? I'm testing the collection of sysmon logs from Microsoft-Windows-Sysmon/Operational but it keeps erroring with: The subscription Collect Sysmon Logs can not be created.\r\nThe error code is 5004.\r\nAnonymous\r\nFebruary 22, 2017\r\nI assume there is no way to do wildcards since Microsoft is using XPath 1.0?\r\nAnonymous\r\nMarch 28, 2017\r\nHi Everybodyquick question...Is it possible to implement a WEC server to address multiple forest ? If yes,\r\nis there any technical aspects I should take care of ? (We had implemented a WEC servers, we can\r\nsubscriptions from other forest, but logs are not forwarded..;despite GPO is applied)Thanks in advance for\r\nyour inputs / Cheers / Kristoff\r\nAnonymous\r\nApril 19, 2017\r\nThanks for the Jessica! I am monitoring security logs for changes (4728, 4729) and it does not work with\r\nsecurity groups under the 'Builtin' OU (e.g. Administrators) and also the 'Users' OU (e.g. Domain Admins)\r\nalthough the respective audit policies are enabled for these OUs. Any suggestions on how to deal with this\r\nquirk gracefully with WEF?\r\nAnonymous\r\nApril 19, 2017\r\nAh - found the problem. I was just forwarding events for domain global groups. Added the\r\nrespective event log IDs for universal and domain local groups. See\r\nhttps://technet.microsoft.com/en-us/library/dn311500(v=ws.11).aspx\r\nAnonymous\r\nMay 30, 2017\r\nGreat article and video. One question/comment - my understanding is that running WinRM with the quick\r\nconfig (qc) switch also starts WinRS by default, which may be an unintended security issue if admins aren't\r\naware and haven't explicitly blocked WinRS through GPO (assuming they don't need it).\r\nAnonymous\r\nJuly 27, 2017\r\nThe comment has been removed\r\nAnonymous\r\nAugust 08, 2017\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 19 of 21\n\nHello Jessica,I have (2) Windows 2012 R2 servers setup as WEF Collectors and I have several Source\r\nInitiated Subscriptions in place. One of the Source Initiated Subscriptions is dedicated to pulling Security\r\nLog information from (14 Domain Controllers.)This subscription is setup using HTTPS and collects\r\nSecurity Log Events only.When I check the Runtime Status, one of the DC's shows as \"Inactive\" and no\r\nevent log information is being captured for the DC.I believe this was working when it was initially setup.\r\nThe WEF GPO that is assigned to the Domain Controllers OU is configured\r\ncorrectly:server=https://ServerName.DomainName:5986/wsman/SubscriptionManager/WEC,Refresh=60Can\r\nyou please tell what I am missing in order to get this one DC to show up as Active\"Thank youGlenn\r\nAnonymous\r\nAugust 31, 2017\r\nThe comment has been removed\r\nAnonymous\r\nSeptember 15, 2017\r\nThese instructions are great! They got me up and running in no time. I’ve just started experimenting with\r\nWEF for use in the enterprise and I’ve come across an odd scenario that I have not seen documented\r\nelsewhere. I have WEF setup with a simple Powershell subscription that includes 4103 and 4104 event IDs.\r\nI’ve tried it with a few simple PS scripts, and everything works as expected.However, I got a little more\r\nambitious and ran a 2MB mimikatz script that had Base64 encoded executables embedded in it. The\r\nappropriate 4103 and 4104 (script block logging) events were generated on the endpoint. However, instead\r\nof forwarding the events to my collector, the subscription for Powershell events started ‘flapping’ and\r\nalternating between the subscription being created and removed (event IDs 100 and 103, respectively in the\r\nEventlog-ForwardingPlugin channel). There are 200+ sizable 4104 events being generated by the script, so\r\nI wonder if the size/number of the events is causing an issue. One other detail…if I remove 4104 events\r\nfrom the subscription, and run the mimikatz script, everything works as expected and the 4103 events\r\nappear on the collector.\r\nAnonymous\r\nDecember 11, 2017\r\nJessica,You deleted the content on the last update.\r\nAnonymous\r\nDecember 12, 2017\r\nWoops, fixed. Thanks for catching it.\r\nAnonymous\r\nDecember 18, 2017\r\nJPayne,This content is too outrageous to not be on the internet! I was looking for it during an\r\nincident after i changed jobs and had to pull it from memory. Keep up the awesome work.\r\nAnonymous\r\nDecember 16, 2017\r\nHello Jessica - Great read!!One question I have is amount of space I need to factor for my central server to\r\ncollect the security logs. I am looking to collect these events from around 15000 endpoints. On an average\r\nhow many events per sec are generated from the Win10 machines and what would be size of each event\r\nAnonymous\r\nDecember 19, 2017\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 20 of 21\n\nGreat post Jessica! I will be forwarding this to all of my customers.\r\nAnonymous\r\nApril 10, 2018\r\nIs it possible to forward the whole Windows eventlog? (Not only: Application, Security, Setup, System, for\r\nexample \"Applications and Services Logs/Microsoft/Windows/Hyper-V Worker\")\r\nSource: https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you\r\n-already-have-a-siem\r\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem\r\nPage 21 of 21\n\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem       \nOnce WinRM is setup (and hopefully after you've set the firewall via GPO) you can enable Event Forwarding.\nOpen up Event Viewer on the Collector and navigate to the area called \"Subscriptions\" that you've probably never\nclicked on before. If you haven't clicked on it before, you'll get prompted with this question: \n   Page 4 of 21   \n\nhttps://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem      \nSelect Computer Groups next, as this will define which computers send us the events we're interested in. Since we\nwant to know whenever anyone anywhere clears a security log, we're going to use the two built-in/auto populating\ngroups in AD, \"Domain Controllers\" and \"Domain Computers.\"   \n   Page 8 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem"
	],
	"report_names": [
		"monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem"
	],
	"threat_actors": [],
	"ts_created_at": 1775434268,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9a5bbe48384384056ce4d3329e8addfc14a1185.pdf",
		"text": "https://archive.orkl.eu/b9a5bbe48384384056ce4d3329e8addfc14a1185.txt",
		"img": "https://archive.orkl.eu/b9a5bbe48384384056ce4d3329e8addfc14a1185.jpg"
	}
}