Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.

Using Windows Event Forwarding with SENTINEL 7.4.x


I have a question about the topic "Windows Event Forwarding" in Windows Server.

Is there any way to use the native, build in "Windows Event Forwarding (WEF)" with Sentinel? Any Connector or something else?

More about the Topic "Windows Event Forwarding" you can find here.

At the moment we're using the Open-Source Agent "nxlog" for forwarding the Windows Security Logs.

Thanks for your answers in advance!

Tags (1)
2 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

I have not heard of it being supported, so I guess it depends how the
events are sent over the wire. Maybe the Syslog connector could be setup
to catch the events, but if not then the Process connector certainly could
be, perhaps just set to run a service like netcat that listens for input
from wherever. A collector that parses the windows event XML properly
would need to be created as well, but that should not be too terrible.

Before doing all of this, it may be worthwhile to ask how valuable this is
compared to the existing offerings. Unlike the WMS connector, this
appears to require touching all of the endpoints to set them up to send
data to Sentinel, so it requires a bit more initial setup work, even if
done via Group Policy, than the WMS setup.

Unlike using the Sentinel Agent Manager, though, I do not see any
indication of installing third-party software on the windows boxes, so
that could be a benefit.

There are probably other questions, like "Does this work for people when
the two options above do not?" to make a business case, but let's at least
talk about it.

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
Micro Focus Expert
Micro Focus Expert

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.