Windows Event Forwarding (WEF)
Windows Event Forwarding (WEF) allows you to collect event logs of windows based systems on a central server or SIEM. There are two operating modes for WEF;
Pull mode: In this mode, the WEF server goes and collects the logs on its own, which is not a preferred method as it will impose a load on the server.
Push mode: In this mode, clients send logs to WEF server over http TCP 5985 and https 5986 ports via WinRM service. The biggest advantage of this mode is that it will prevent performance problems as it does not create a load on the WEF server.
Collector Iniated(Pull mode): Starts the WEF server to collect logs. WEF server connects to clients and pulls logs on itself. This method is not recommended as it is not economical in terms of resource usage.
Source Computer Initiated(Push mode): Clients send their logs to the WinRM ports of the target WEF server (such as WinRM over HTTPS (TCP\5985) or WinRM over HTTP (TCP\5986)) via the WinRM service. This method is similar to transmitting log records with syslog. Here, the source is the clients, which is the source of the spent log, and these systems register to the WEF server with Kerberos Authetincation.
#Windows Remote Management (WInRM) enabled winrm qc #Configure Event Collection Services enable wecutil qc #You need to allow TCP 5985 and https 5986 ports over firewall. netsh advfirewall firewall add rule name="NETBIOS UDP Port 5985" dir=in action=allow protocol=UDP localport=5985 netsh advfirewall firewall add rule name="NETBIOS UDP Port 5986" dir=in action=allow protocol=UDP localport=5986
Computer Configuration >Polices > Administrative Templates > Windows Components > Event Forwarding” altında “SubscriptionManager Enabled
Computer Configuration -> Polices > Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> Turn On Compatibility HTTP & HTTPS Listener Enabled
Computer Configuration>Windows Settings > Security Settings > System Services > Windows Remote management > Automatic
Let's enter the following value in the Subscription Manager section. Of course, you will arrange it according to your own WEF server. (I redirected to DC)
Server=http://anatolia.guler.com:5985/wsman/SubscriptionManager/WEC,Refresh=60
After these processes, we open the Event Viewer on the server you have designated as the WEF server. From the Subscriptions section, we click on Create Subscription. From the Source Computer Initiated section, we configure the settings as seen. If there is a warning, it will probably be a warning that your disk and performance will decrease because you have chosen to take too many logs.
Note: If the log will be collected with the Collector Initiated method, the WEF server must be added to the “Event Log Readers” group with Restricted Groups as “Computer” account.
At the end of these processes, we will start to see our logs in Forwarded Events.
Faydalı olması dileğiyle - Hope it's useful