For the most part WEC allows you to control event forwarding from the collector but there is one setting in group policy: Group Policy Management Editor\Default Domain Policy\Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding\"Configure target Subscription Manager setting Enabled

This setting is like the bootstrapper for Windows Event Collection.  When computers out in the domain apply group policy and see this setting, they now know which collector(s) to start checking in with regularly to find new/updated subscriptions.

In larger environments with regional data centers we often setup local collectors so that we keep event forwarding traffic local – computer in a given region send events to the local collector.  That makes total sense but the possible problem arises with how you do this with group policy.

You may have Sites already defined in Active Directory that correspond to each region of computers and their local collector.  Active Directory allows you to assign GPOs to Sites and then each computer physically in that site will apply the policies in that GPO – a seemingly convenient way to configure computers based on their location. 

The problem arises when you try to assess the health of WEC subscriptions.  Before you can determine if all computers are actively forwarding events for a given subscription you need to know which computer should be sending events.  Supercharger’s Deterministic forwarder health analysis automates this process for you.  By default, when you specify Deterministic mode on a subscription, Supercharger looks at the groups assigned to that subscription, enumerate the computer accounts there-in and uses that as the baseline for the computers that should be sending events.  Then Supercharger compares that list to the list of computers WEC says are currently sending events.  (This is a simplified description, click here for more information). 

But sometimes we encounter environments where the customer has specified an all-encompassing group like Domain Computers which includes, well, all computers in the domain – probably many more times the number of computers in the region of that collector.  WEC doesn’t care: only those computers in that group which also apply the GPO pointing to a given collector will subscribe and start sending events.  But we obviously can’t use the group’s membership to perform health analysis.

For this reason, we added an alternative method to Deterministic health analysis that allows you to specify a custom LDAP filter.  This allows you to use most any attribute available on computer accounts to determine the baseline list of computers that should be sending events.  For instance, if your computer naming convention prefixes computers with region you could use that.  Or maybe department or description on the computer account provides the appropriate criteria – or a combination of fields.  The bottom line is you specify an ldap filter that produces the right set of computers for that collector and assign it to each subscription on the collector.

Here’s the gotcha – look at the attributes available on computer accounts in AD – there’s nothing for Site because it's not static.  Whenever a computer boots up it compares it's IP address to Site definitions in AD to determine which Site it's in.  So, you can't specify an LDAP filter where "site=Detroit" for example. 

If you want to use deterministic health analysis for accurate diagnosis of which computers are sending events and which ones where forwarding is broken for some reason you need an OU or some other criteria in AD that can be specified in an LDAP filter. 

If there’s no such data on your computer accounts you might consider creating a Startup script in the same GPO that causes each computer to update a selected attribute on its computer account in AD with its current site.  You’d need to make sure to delegate Write access that attribute on computer accounts.  The script would need to query Windows for its current site and then update the appropriate field on its computer account. 

Failing that, if you have a good idea of the number of computers that should be sending events you can use Arbitrary instead of Deterministic.  Or simply use Empirical instead of Deterministic.

Here at LOGbinder we have been deep in the weeds with Windows Event Forwarding/Collection (WEC or WEF) for quite some time now.  In the past month since we’ve released Supercharger for WEC and opened our new forums for WEC and also Supercharger.  This has resulted in many of you asking questions and finding new challenges with WEC. 

For example, a few Supercharger users have recently asked about workstation status outside of work hours like weekends and holidays.  As you know, one of the benefits of a Supercharged WEC environment is being able to see the health status of all your forwarders.  During weekends or holidays, a forwarder may be shutdown or sleeping until the user gets the machine online again.  During this workstation’s down time you don’t want a healthy workstation reporting as unhealthy in Supercharger.  This KB article explains a how to change a simple setting to keep this from happening.

Another situation that some users are dealing with is when they need to define expected forwarders by some AD criteria other than an AD group.  For example, you create a subscription targeting “Domain Computers” but you only want a subset of the computers running Windows 10 in this group to forward events.  We have had users scratching their heads trying to figure out if this is possible without creating new AD groups which can take time, especially if you are working with thousands of forwarders like some of our users.  This KB article explains how to do this using LDAP filters in Superchargers Deterministic Subscription Policies.

We will do our best to keep you updated with tips and tricks to get your WEC Supercharged.  In the meantime, feel free to browse the “How To” section in our Support Portal to see if you are missing out on any of our latest articles and tips.

It’s been an exciting 3 months or so since we released Supercharger for Windows Event Collection and we have even more exciting news to share: We just released a new and free edition of Supercharger for Windows Event Collection which you can get here. 

There are no time-outs and no limits on the number of computers you can manage with Supercharger Free.

We wanted to include more than enough functionality so that anyone who uses WEC would want to install Supercharger Free right away.  For non-WEC users, Free Edition helps you get off the ground with step-by-step guidance. 

With Supercharger Free you can stop remoting into each collector and messing around with Event Viewer just to see the status of your subscriptions.  You can see all your collectors, subscriptions and source computers on a single pane of glass – even from your phone.  And you can create/edit/delete subscriptions as necessary.

We also wanted to help you get more from WEC’s ability to filter out noise events at the source by leveraging my research on the Windows Security Log. 

Supercharger Free Edition:

• Provides a single pane of glass view of your entire Windows Event Collection (WEC) environment across all collectors and domains
• Virtually eliminates the need to remote into collectors and wrestle with Event Viewer.  You can manage subscriptions right from the dashboard
• Includes a growing list of my personally-built Security Log noise filters that help you get the events you need while leaving the noise behind

The manager only takes a few minutes to install and can even co-exist on a medium loaded collector.  Then it’s just seconds to install the agent on your other collectors.  You can uninstall Supercharger without affecting your WEC environment. 

We hope Supercharger Free is something that saves you time and helps you accomplish more with WEC.

• To get Free Edition, click here
• To compare Free and Enterprise click here
• For support please use forum.logbinder.com
• Enterprise Edition pricing is instantly available here

This is just the beginning.  We’ve got more exciting and free stuff coming.  But you’ll need at least Supercharger Free to make use of what’s next, so install it today if you can.