This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
steve-m
Micro Focus Expert
Micro Focus Expert
‎2016-01-05 18:54
4061 views

Collecting Windows Event Logs Using Windows Event Forwarding

February 5, 2018

 

Why collect event logs from Windows workstations? If I have auditing enabled in Active Directory and on the servers in it, shouldn’t that be enough? No! There are events that are generated on a Windows workstation that are stored in that systems local event log and are not stored centrally without the use of Windows Event Forwarding. Below are some examples of use cases for Windows workstations events. While the focus of this document is on workstations, it can also be applied to servers, both in an Active Directory Domain and in a Workgroup...

 

Version 4

  • Micro Focus branding.
Labels (1)
Labels
Preview file
1176 KB
1 other person had this problem.
Reply
Report Inappropriate Content
6 Replies
alexeynl
Vice Admiral
Vice Admiral
‎2016-01-12 12:56

AppLocker is built into Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.

Not all Windows editions support AppLock feature (for example Standart and Professional don't).

Windows 7 AppLocker Executive Overview

"AppLocker is a new technology available in Windows 7 Enterprise and Windows 7 Ultimate. In addition, AppLocker is available in Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, and Windows Server 2008 R2 for Itanium-Based Systems."

0 Likes
Reply
Report Inappropriate Content
alexeynl
Vice Admiral
Vice Admiral
‎2016-01-12 13:37

To reduce event flow network inpact in case of your enviroment i will suggest filter out events on Windows Collector using Subscription settings.

0 Likes
Reply
Report Inappropriate Content
mederic.hurier
Commander
Commander
‎2019-04-02 15:09

Hello,

 

Is there any specific steps to do to use WEF with workgroup hosts and source initiated subscription?

Everything is working fine for Domain hosts, but not for Workgroup.

I guess workgroup hosts need to go via HTTPS (port 5986) as kerberos is not present in workgroup.

Do you have any specific documentation for workgroup hosts?

 

Regards

0 Likes
Reply
Report Inappropriate Content
steve-m
Micro Focus Expert
Micro Focus Expert
‎2019-04-02 17:30

I do not have any documentation on setting up WEF in a Workgroup environment.

0 Likes
Reply
Report Inappropriate Content
mr_ergene
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2019-04-03 08:43

You can't use source initiated mode. You can use HTTP.

More details: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Reply
Report Inappropriate Content
mederic.hurier
Commander
Commander
‎2019-04-03 09:47

Thanks, I'll try the pull method.

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.