Windows Event Forwarding/Collector Resources

Windows Event ForwardingDepending on your SIEM you are going to have different requirements here.  For some SIEMs, there is no issue with EPS and only the number of devices.  In that case, this will immediately reduce your licensing needs by allowing you to watch Events from Servers and/or workstations from a single (or few) devices.  You can forward all workstation events to a single devices and then just monitor that devices from the SIEM using Windows Event Forwarding.

For those SIEMs, like Splunk, that care about EPS and nothing else, this will get more complex, but not unmanageable.  At this point, you have to start using filtering. If your SIEM has agents, like splunk, that can do filtering you can use simple Event Subscriptions to get the logs, but then filter at the forwarder.  For those that don’t, then there are still ways to do a lot of filtering in the XML, but there are some limitations. I have spent the past few months architecting this for a large enterprise, and I have found a few invaluable resources I wanted to share about all of this.


Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.)

Proactively Secure your IT Environment from Credential Theft with POP-SLAM

LAPS Audit Reporting via WEF PoSH and PowerBI

Windows Event Forwarding – Centralized logging for everyone! (Even if you already have centralized logging!)

Event Forwarding and Log Analysis

Local Administrator Password Solution (LAPS) Implementation Hints and Security Nerd Commentary (including mini threat model)

Top 10 SIEM Best Practices


Information About Windows Events

Detailed Post on XML Queries in Subscriptions

Tracking Lateral Movement Part One – Special Groups and Specific Service Accounts

Advanced security audit policy settings (Windows 10)

NSA – Spotting the Adversary

Detecting Lateral Movement with Windows Event Logs [VIDEO]

Simple Windows Batch Scripting for Intrusion Discovery

The Key Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Pass The Hash Info

Description of security events in Windows 7 and in Windows Server 2008 R2

More New Stuff in PowerShell V5: Extra PowerShell Auditing

Include command line in process creation events

Microsoft security advisory: Update to improve Windows command-line auditing: February 10, 2015

Use Windows Event Forwarding to help with intrusion detection (Windows 10)

Windows Event Forwarding: export and import subscriptions

Auditing Group Policy changes – Canberra Premier Field Engineering: Team Blog

Cheat Sheets for Logging

Splunk Finding Advanced Attacks

Splunk Logging CheatSheet

Events To Monitor


Leave a Reply

Your email address will not be published. Required fields are marked *