If you’ve ever wrestled with Windows event collection, you know it’s not as simple as flipping a switch and getting clean, actionable data. Between cryptic event IDs, noise overload, and log forwarding headaches, most organizations are leaving valuable forensic and auditing data on the table.
Over the years we have learned so many lessons about WEC and in this real training for free session, I’ll walk you through the real-world problems I see over and over again in consulting engagements—things like:
- The sheer volume of events and how to separate the signal from the noise
- Common misconfigurations in Windows Event Forwarding (WEF) that kill reliability
- Incomplete log coverage and missing critical events for auditing
- How GPO settings and filtering can break your collection strategy without you noticing
- Performance trade-offs that can impact endpoints and your SIEM budget
Windows event logs are a goldmine for security analysts and sysadmins—if you can collect, filter, and interpret them correctly. But let’s be honest: the reality is messy. Inconsistent forwarding, noisy logs, and missing critical events make life harder than it should be.
We’ll go beyond theory. I’ll show you exactly how to tune your event subscriptions, reduce noise, and ensure you're actually capturing what matters—whether it's for compliance, detection, or investigation.
This is a no-fluff, demo-heavy session with practical guidance you can apply the same day.
Some of the other areas we’ll cover include:
- We’ll show how to build your own filters to be inclusive or exclusive depending on stance regarding noise and log volume efficiency
- We’ll talk about subscriptions with more than the recommended numbers of forwarders and the issues this creates (overloaded collectors, very large log storage needs, high EPS per subscription)
- Should you forward the entire security log? Does that really make sense once you dive into the real-world details?
- We’ll talk about the GPO settings needed for WEC to function. Things like:
- Configure Target Subscription Manager (for WEF)
- Enable Windows Remote Management (WinRM)
- Configure Firewall Rules for WEF
- Advanced Audit Policy Configuration (more UWS than WEC)
- Event Log Size & Retention
Then we’ll talk about conflicting/winning GPO’s and how this creates issues with WEC settings and also hardened OS images and security settings.
- We’ll discuss SIEM’s price metrics like log storage size charges, EPS charges. For example, Splunk charges per GB/day. That creates an imperative to really address the issue of noise.
Towards the end, Barry Vista will briefly demonstrate how Supercharger for WEC provides central policy-based management of your WEC environment and detects and automatically heals WEC issues before you discover them the hard way.
This will be a technical, real training for free session, so don’t miss it!