Collecting Windows Event Logs Using Windows Event Forwarding
February 5, 2018
Why collect event logs from Windows workstations? If I have auditing enabled in Active Directory and on the servers in it, shouldn’t that be enough? No! There are events that are generated on a Windows workstation that are stored in that systems local event log and are not stored centrally without the use of Windows Event Forwarding. Below are some examples of use cases for Windows workstations events. While the focus of this document is on workstations, it can also be applied to servers, both in an Active Directory Domain and in a Workgroup...
- Micro Focus branding.
AppLocker is built into Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.
Not all Windows editions support AppLock feature (for example Standart and Professional don't).
"AppLocker is a new technology available in Windows 7 Enterprise and Windows 7 Ultimate. In addition, AppLocker is available in Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, and Windows Server 2008 R2 for Itanium-Based Systems."
Is there any specific steps to do to use WEF with workgroup hosts and source initiated subscription?
Everything is working fine for Domain hosts, but not for Workgroup.
I guess workgroup hosts need to go via HTTPS (port 5986) as kerberos is not present in workgroup.
Do you have any specific documentation for workgroup hosts?
You can't use source initiated mode. You can use HTTP.
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.