Windows Event Forwarding (WEF): Centralized Logging Without Extra Agents

Windows Event Forwarding (WEF) is one of the most underrated native security capabilities in Microsoft environments. It centralizes endpoint and server logs using built-in Windows services, reducing the need for additional collection agents.

This guide covers a practical source-initiated deployment.

Why WEF matters

Native Windows feature (no third-party endpoint collector required)
Flexible XML filters for event selection
Scales well with Group Policy
Useful staging layer before SIEM ingestion

1) Prepare the collector

On collector server (PowerShell as admin):

wecutil qc /q
winrm quickconfig -q
Set-Service Wecsvc -StartupType Automatic
Set-Service WinRM -StartupType Automatic

Confirm service state:

Get-Service Wecsvc, WinRM

2) Create source-initiated subscription

Open Event Viewer:

Applications and Services Logs > Microsoft > Windows > EventCollector

Then:

Go to Subscriptions
Create Source computer initiated subscription
Select channels and event levels
Apply event query filter

Example XML filter (security focus):

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4624 or EventID=4625 or EventID=4688 or EventID=4720 or EventID=4728)]]
    </Select>
  </Query>
</QueryList>

3) Configure Group Policy for clients

In GPMC, apply policy to target computers:

Configure target Subscription Manager
Allow remote server management through WinRM
Windows Remote Management service startup

Subscription Manager example:

Server=http://wef-collector.domain.local:5985/wsman/SubscriptionManager/WEC,Refresh=60

Update policy on clients:

gpupdate /force

4) Validate forwarding

On client:

wevtutil qe ForwardedEvents /c:5 /f:text

On collector, verify incoming events in Forwarded Events and monitor event volume.

5) Hardening and operations

Use HTTPS for transport when required

For stricter environments, configure HTTPS listeners and certificates for WinRM.

Tune filters intentionally

Avoid forwarding everything by default. Start with:

Authentication events
Process creation (4688)
Account/group changes
Critical service and system events

Size logs correctly

Increase forwarded log size to avoid drops during bursts. Combine with regular archival and SIEM shipping.

Troubleshooting Quick Checks

No events arriving

Validate DNS and reachability to collector
Confirm WinRM listener on client and collector
Recheck SubscriptionManager GPO value

Access denied errors

Ensure collector permissions are correct
Confirm domain trust and computer account scope

High event lag

Reduce noisy channels
Tune refresh interval and batching
Validate collector CPU/disk capacity

Summary

WEF provides a low-friction centralized logging foundation for Windows estates. With source-initiated subscriptions and focused filters, you get high-value telemetry with manageable overhead.

It is an excellent first step before full SIEM normalization, especially in environments that want native controls and reduced endpoint complexity.

Frequently Asked Questions

Why use WEF if I already have a SIEM?

WEF is a native collection layer that reliably centralizes Windows logs before ingestion. It can reduce endpoint agent footprint and provide structured, policy-driven forwarding to collectors that your SIEM can ingest.

What is the difference between source-initiated and collector-initiated subscriptions?

Source-initiated is generally preferred at scale because clients know where to forward events via Group Policy. Collector-initiated can work in small environments but becomes harder to manage as endpoint count grows.

Can WEF collect Security logs from domain controllers and workstations together?

Yes. You can forward from any Windows source that supports event forwarding, then separate subscriptions by role, OU, or event channel for cleaner processing and retention control.