Collecting Windows Event Logs Using Windows Event Forwarding


Why collect event logs from Windows workstations? If I have auditing enabled in Active Directory and on the servers in it, shouldn’t that be enough? No! There are events that are generated on a Windows workstation that are stored in that systems local event log and are not stored centrally without the use of Windows Event Forwarding. Below are some examples of use cases for Windows workstations events. While the focus of this document is on workstations, it can also be applied to servers, both in an Active Directory Domain and in a Workgroup...

 Version 4


comments by alexeynl: 

AppLocker is built into Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.

 Not all Windows editions support AppLock feature (for example Standart and Professional don't).

 Windows 7 AppLocker Executive Overview

"AppLocker is a new technology available in Windows 7 Enterprise and Windows 7 Ultimate. In addition, AppLocker is available in Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, and Windows Server 2008 R2 for Itanium-Based Systems."

To reduce event flow network inpact in case of your enviroment i will suggest filter out events on Windows Collector using Subscription settings. 




How To-Best Practice
Comment List