Highlighted
steve-m
Micro Focus Expert
Micro Focus Expert
‎2016-01-05 18:54
3201 views

Collecting Windows Event Logs Using Windows Event Forwarding

February 5, 2018

 

Why collect event logs from Windows workstations? If I have auditing enabled in Active Directory and on the servers in it, shouldn’t that be enough? No! There are events that are generated on a Windows workstation that are stored in that systems local event log and are not stored centrally without the use of Windows Event Forwarding. Below are some examples of use cases for Windows workstations events. While the focus of this document is on workstations, it can also be applied to servers, both in an Active Directory Domain and in a Workgroup...

 

Version 4

  • Micro Focus branding.
Labels (1)
1 other person had this problem.
Reply
6 Replies
alexeynl
alexeynl Honored Contributor.
Honored Contributor.
‎2016-01-12 12:56

Re: Collecting Windows Event Logs Using Windows Event Forwarding

AppLocker is built into Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.

Not all Windows editions support AppLock feature (for example Standart and Professional don't).

Windows 7 AppLocker Executive Overview

"AppLocker is a new technology available in Windows 7 Enterprise and Windows 7 Ultimate. In addition, AppLocker is available in Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, and Windows Server 2008 R2 for Itanium-Based Systems."

0 Likes
Reply
alexeynl
alexeynl Honored Contributor.
Honored Contributor.
‎2016-01-12 13:37

Re: Collecting Windows Event Logs Using Windows Event Forwarding

To reduce event flow network inpact in case of your enviroment i will suggest filter out events on Windows Collector using Subscription settings.

0 Likes
Reply
mederic.hurier
Valued Contributor.. mederic.hurier Valued Contributor..
Valued Contributor..
‎2019-04-02 15:09

Re: Collecting Windows Event Logs Using Windows Event Forwarding

Hello,

 

Is there any specific steps to do to use WEF with workgroup hosts and source initiated subscription?

Everything is working fine for Domain hosts, but not for Workgroup.

I guess workgroup hosts need to go via HTTPS (port 5986) as kerberos is not present in workgroup.

Do you have any specific documentation for workgroup hosts?

 

Regards

0 Likes
Reply
steve-m
Micro Focus Expert
Micro Focus Expert
‎2019-04-02 17:30

Re: Collecting Windows Event Logs Using Windows Event Forwarding

I do not have any documentation on setting up WEF in a Workgroup environment.

0 Likes
Reply
mr_ergene
Knowledge Partner
Knowledge Partner
‎2019-04-03 08:43

Re: Collecting Windows Event Logs Using Windows Event Forwarding

You can't use source initiated mode. You can use HTTP.

More details: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Reply
mederic.hurier
Valued Contributor.. mederic.hurier Valued Contributor..
Valued Contributor..
‎2019-04-03 09:47

Re: Collecting Windows Event Logs Using Windows Event Forwarding

Thanks, I'll try the pull method.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.