Introduction

Windows Event Collection (WEC) – also known as Windows Event Forwarding (WEF) – is a native agent-less way to aggregate event logs onto central collectors that is built-in to Windows. With WEC, you can get the Windows Security Log and any other important event logs from thousands of Windows endpoints without

  • Installing an agent or anything else
  • Inefficient polling for new events
  • Opening any ports on source (forwarder) computers
  • Needing credentials for accessing logs on remote systems

All you need to do is set up a Windows server as a windows event collector by creating one or more WEC subscriptions on it. Then, via group policy or Intune, you target your forwarder systems at the collector. Voila, events show up in the designated event log on the collector where they can then be directed to your SIEM or other downstream consumers.

Each subscription allows you to specify which forwarders should send which logs and events to which destination log on the collector.

You can collect events from Active Directory domain member computers, which automatically leverages Kerberos, or non-domain member computers via client certificate authentication. Either way, event data is encrypted over the network.

WEC/WEF is built on top of Windows Remote Management (WinRM), which runs on both forwarders and collectors. Some of the more advanced features of Windows Event Forwarding involve WinRM configuration settings.

Concepts

In this section, we introduce you to key concepts that comprise Windows Event Collection and explain their relationships.

For collecting events from computers not part of the Active Directory environment, some additional concepts take on significance. We deal with these topics specifically under WEC in a Non-AD Environment.

  • Server Certificates for Collectors
  • Client Certificates for Forwarders
  • Certificate Authorities on Subscriptions
  • Certificate Mappings on Collectors
  • HTTPS Listeners on Collectors

Supercharger for Windows Event Collection

Supercharger provides

  • At a glance, single pane of glass view of entire Windows Event Collection (WEC) environment
  • Pre-built security filters with noise suppression based on Randy Franklin Smith's UltimateItSecurity.com
  • Wizard-based create/update/delete/view of subscriptions
  • Step-by-step guidance for new WEC implementations

Install Supercharger Free

Single Pane of Glass

Supercharger's manager/agent architecture installs in minutes and displays your global WEC environment on a single pane of glass. Check the status of event forwarding from your browser or even your phone.

Centrally Manage Subscriptions

Create/edit/delete subscriptions with a click.

Filter the Noise with Help from UltimateItSecurity.com

Pre-built managed filters leverage our deep knowledge of the Windows Security Log. Point and click to create Xpath queries that collect the events you want while leaving the noise behind.

New to Windows Event Collection?

Step-by-step guidance for new WEC implementations


Manage, Scale and Heal Windows Event Collection with Supercharger
DownloadEnterprise PricingAsk Sales