The Windows Event Collection (WEC) service is a powerful and relatively new addition to Windows security logging. WEC is native to Windows 2008 and later and is Microsoft’s answer to syslog only on a far grander scale. With WEC you can finally automatically forward events from multiple systems to a single central event log.
With WEC you select one or more Windows servers to serve as collectors. On those collectors you define one or more subscriptions. Subscriptions are a policy object that define which log and which event IDs in that log to forward. Then, using group policy, you configure source computers to target the appropriate collector. The Windows event forwarder agent on those computers check in with the collector and obtain the appropriate subscription(s) applicable to them based on group membership or other criteria.
Then each forwarder begins send the specified events to the collector. Events can be sent over https ensuring security and integrity. Windows event collection can survive network and system outages and has functionality to minimize bandwidth and system resources.
Of course one of the big concerns with event forwarding is “how do we avoid overloading the network and target collector?” That’s a good question because the security log is famous for the amount of events generated every second. The good news is that WEC supports an XML based query language that allows you to define very specific criteria for which events are forwarded. You can go way beyond simple lists of event IDs and base forwarding on the actual details of the event. For instance, on a file server you can expect to find a near infinite number of network logon events generated each time a client accesses a network share. The event used is 4624 but that same event ID is used for console and remote desktop logon events. The only difference is the Logon Type in the details of the event. WEC allows you to define a custom XML query that only forwards instances of event ID 4624 where logon type is not 3 (Network).
The other killer feature of WEC is the ability for forwards to authenticate to collectors using client certificates. By targeting the forward at a valid Internet DNS address, and with client certificates, you can configure mobile client laptops to forward events over the Internet no matter where they are.
I think WEC opens the door for all kinds of new possibilities. Join me for a deep dive into WEC as I’m very excited to be doing my first webinar on this very cool technology. Don’t miss it.
Register now!