
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Collecting Windows Event Logs Using Windows Event Forwarding
February 5, 2018
Why collect event logs from Windows workstations? If I have auditing enabled in Active Directory and on the servers in it, shouldn’t that be enough? No! There are events that are generated on a Windows workstation that are stored in that systems local event log and are not stored centrally without the use of Windows Event Forwarding. Below are some examples of use cases for Windows workstations events. While the focus of this document is on workstations, it can also be applied to servers, both in an Active Directory Domain and in a Workgroup...
Version 4
- Micro Focus branding.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
AppLocker is built into Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.
Not all Windows editions support AppLock feature (for example Standart and Professional don't).
Windows 7 AppLocker Executive Overview
"AppLocker is a new technology available in Windows 7 Enterprise and Windows 7 Ultimate. In addition, AppLocker is available in Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, and Windows Server 2008 R2 for Itanium-Based Systems."

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
To reduce event flow network inpact in case of your enviroment i will suggest filter out events on Windows Collector using Subscription settings.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello,
Is there any specific steps to do to use WEF with workgroup hosts and source initiated subscription?
Everything is working fine for Domain hosts, but not for Workgroup.
I guess workgroup hosts need to go via HTTPS (port 5986) as kerberos is not present in workgroup.
Do you have any specific documentation for workgroup hosts?
Regards

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I do not have any documentation on setting up WEF in a Workgroup environment.


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You can't use source initiated mode. You can use HTTP.
More details: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Thanks, I'll try the pull method.