Windows Event Forwarding (WEF) and Windows Event Collector (WEC) allow organizations to centralize Windows event logs for better security monitoring, incident response, and compliance. This guide provides a step-by-step setup to configure WEF and WEC properly.
- Windows Server (for WEC)
- Windows Clients (for WEF)
- Active Directory (for domain-based deployment)
- Domain Admin privileges (recommended for setup)
-
Enable the service âWindows Event Collectorâ
Firstly, we should enable âWindows Event Collectorâ service in Services tab.
Change the Startup type to the
Automatic (Delayed Start)
-
Add the network service account to the domain
- In
Active Directory Users and Computers, go to theÂBuiltin folder and double-clickÂEvent Log Readers. - SelectÂ
Members. - If Network Service is not listed, select Add, and then enter Network Service.
- Select Check Names and select OK twice.
- In
-
Configure WinRM
-
Run these commands on Powershell as Administrator
winrm quickconfig wecutil qc
-
-
Create Custom Event Providers (Optional)
-
Move these files to your system32 folder and run the following command:
wevtutil im C:\Windows\System32\WEF_Events.manYou can find these files in the Config_Files folder.
After running this command, the following channels must be created under WEF-Events in the Event Viewer. I have chosen these channels for testing purposes and have also tried to select the most commonly used event types. If you want to customize them, you can refer to this guide.
-
-
Apply GPO to config Agents
-
Enable WINRM on Agents
-
Firstly, create new GPO and link to the OU. And then right click and edit the GPO.
! -
 Expand the Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
On the right side, locate and edit the Allow remote server management through WinRM policy setting.
Set to Enabled and add the â*â to both IPv4 and IPv6 filter.
-
The next policy that needs to be configured is the one responsible for enabling and starting the WinRM service. Expand Computer Configuration > Preferences > Control Panel Settings > Services. Right-click the Services section and choose New > Service. Change the StartUp type to "Automatic (Delayed Start)" and Service action to the "Start Service"
-
The final policy we need to configure for WinRM to function is opening the appropriate Firewall ports. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Windows Defender Firewall with Advanced Security > Inbound Rules. Right-click the Inbound Rules section and choose New Rule.
On the New Inbound Rule Wizard click Predefined then from the list select Windows Remote Management.
In the Predefined Rules window, ensure that the Public profile box is unchecked. While this doesnât expose you to the internetâsince your company already has a firewall in placeâit is considered a best practice.
Proceed with the default option by allowing the connection.
GPO settings for double check:
- âEnable Winrmâ
-
Firewall:
-
WinRM Service:
-
-
-
Add
Network Serviceaccount to the Agentsâ Local Group
Then add
Network Serviceuser to the group. Double click theOKand then clickApplybutton.
âAdd
Network Serviceaccount to the Agentsâ Local Groupâ â GPO settings - for double check:
-
Then run
gpupdate.exeon PowerShell as Administrator or reboot the clients to take effect.
-
-
Configure a Subscription
-
Collector Initiated - In this method, WEC server will connect to the agents and collect events with privileged user.
-
In the Event Viewer, Click the
Subscriptions(on the bottom) -
Click the
Create Subscription
-
Choose relevant Destination Log
-
Add domain computers
After clicking OK you can check also the connectivity.
-
Selecting Relevant Events
-
Specifying the privileged account
Triple click the
OKbutton.
-
Check the runtime status
- Click the Right button of the mouse on the subscription and check the status of the Subscription.
- Click the Right button of the mouse on the subscription and check the status of the Subscription.
-
-
Source Initiated -- In this method, all agents send events to the WEC Server
For this config we should do some extra staff.
-
Firstly, run these commands in the PowerShell (WEC Server):
netsh http delete urlacl url=http://+:5985/wsman/ netsh http add urlacl url=http://+:5985/wsman/ sddl="D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)" -
Then add GPO to enable Subscription manager on agents.
Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding
Add this value:
Server=http://dc.siem.local:5985/wsman/SubscriptionManager/WEC,Refresh=10
Click
OKand thenApplybutton. Here you should specify the WEC server FQDN (In my case I have used DC you can use another server) -
Now you can create the source based Subscriptions
-
This is the same process with the (6. â a.) but here we choose
Source Computer initiated.
You can add the desired OUs here. And no need to specify the privileged account credentials in this solution.
-
After creating Subscription you can check the connected Agents status by checkingRuntime Status
After a while all logs will start coming to your specified destinations.
-
-
- Microsoft Docs: Windows Event Collection
- CREATING CUSTOM LOGS FOR WINDOWS EVENT FORWARDER
- How to enable WinRM (HTTP) via Group Policy
This guide was created to help security professionals, SOC teams, and system administrators streamline Windows event log collection. By following these steps, you can enhance visibility, strengthen security monitoring, and optimize incident response.
đ Stay Secure & Keep Monitoring! đđ