• Products
    LOG COLLECTOR
    NXLog Enterprise Edition
    Full feature multi-platform log collection
    NXLog Community Edition
    Open-source free log collector
    ADD-ONS FOR NXLOG ENTERPRISE EDITION
    NXLog Add-Ons
    Integration with various software
    AGENT MANAGER FOR NXLOG ENTERPRISE EDITION
    NXLog Manager
    Manage and monitor NXLog instances
    NXLog Minder
    Hyper-scalable, API-first agent management
    DATABASE FOR NXLOG ENTERPRISE EDITION
    Raijin Database Engine
    The schemaless SQL database for storing events
    more from nxlog
    Professional Services
    Compare NXLog EE and CE
  • Downloads
    NXLog Enterprise Edition
    Full feature multi-platform log collection
    NXLog Manager
    Manage and monitor NXLog instances
    NXLog Community Edition
    Open-source free log collector
  • Solutions
    Integrations
    With SIEM, Devices, SaaS...
    Specfic OS support
    AIX, Linux, FreeBSD
    SCADA/ICS
    Energy, Oil & Gas, Transport...
    Windows Event log
    Collect locally or remotely, ..
    DNS Logging
    Enterprise-grade DNS log...
    Log Collection Modes
    Agent-based, Agentless or Cloud
    Agent Management
    Agents management and monitoring
    FIM
    File Integrity Monitoring
    macOS Logging
    ULS events, Apple System Logs ...

    By Industry

    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Partners
    Find a Reseller
    Look for our resellers worldwide
    Technology Ecosystem
    See all our partners and integrations
    Partner Program
    Join our community of partners
    Partner Portal →
  • Resources
    Documentation
    Products guides and integrations
    Blog
    Tutorials, updates and releases
    White papers
    Datasheets, infographics and more
    Videos
    Trainings and tutorial on specific topics
    Webinars
    Community events and webinars
    Community Forum →
  • Support
  • Why Nxlog
    About Us
    Our journey, team and mission
    Customers
    Testimonials and case studies
    Careers
    We are hiring!
    Contact Us →
Log In Sign Up
Request Trial
LOG COLLECTOR
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Community Edition
Open-source free log collector
ADD-ONS FOR NXLOG ENTERPRISE EDITION
NXLog Add-Ons
Integration with various software
AGENT MANAGER FOR NXLOG ENTERPRISE EDITION
NXLog Manager
Manage and monitor NXLog instances
NXLog Minder
Hyper-scalable, API-first agent management
DATABASE FOR NXLOG ENTERPRISE EDITION
Raijin Database Engine
The schemaless SQL database for storing events
more from nxlog
Professional Services
Compare NXLog EE and CE
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Manager
Manage and monitor NXLog instances
NXLog Community Edition
Open-source free log collector
Integrations
With SIEM, Devices, SaaS...
Specfic OS support
AIX, Linux, FreeBSD
SCADA/ICS
Energy, Oil & Gas, Transport...
Windows Event log
Collect locally or remotely, ..
DNS Logging
Enterprise-grade DNS log...
Log Collection Modes
Agent-based, Agentless or Cloud
Agent Management
Agents management and monitoring
FIM
File Integrity Monitoring
macOS Logging
ULS events, Apple System Logs ...

By Industry

Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing
Find a Reseller
Look for our resellers worldwide
Technology Ecosystem
See all our partners and integrations
Partner Program
Join our community of partners
Partner Portal →
Documentation
Products guides and integrations
Blog
Tutorials, updates and releases
White papers
Datasheets, infographics and more
Videos
Trainings and tutorial on specific topics
Webinars
Community events and webinars
Community Forum →
Support
About Us
Our journey, team and mission
Customers
Testimonials and case studies
Careers
We are hiring!
Contact Us →
  • Loading...
Request Trial
December 17, 2018 windowsstrategy

Making the most of Windows Event Forwarding for centralized log collection

By Arielle Bonnici

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.

Advantages to Windows Event Forwarding for centralized log collection

Logging with Windows Event Forwarding is better than being in the dark

Despite the importance of centralized logging, not all enterprise environments on the Windows platform make the most of Windows Event Forwarding. It is a key part of security infrastructure and is already natively supported. With no Event Forwarding set up, administrators are left in the dark regarding what is occurring in their system logs. And even with logging set up, administrators are faced with the challenges of keeping up with a never-ending stream of system logs while trying to filter out events to analyze for potential problems, patterns, and more. Therefore, if you are given the choice of either localized logging or centralized logging using WEF, Event Forwarding is definitely better than no centralized collection at all.

WEF, a built-in solution

Windows Event Forwarding comes out-of-the-box on Windows systems so that administrators do not need to worry about dependencies or installation of third-party software.

WEF is a subscription-based service where the event subscriber can request certain types of events to be forwarded. The WEF subscription normally includes XML event queries for selecting events. Depending on the query, the subscription can be set up to collect events for different purposes. A targeted WEF subscription involves collecting events from a set of targeted hosts which are deemed suspicious. With baseline logging, events are collected from all hosts since this subscription will enroll all devices in the organization.

The subscriber is normally a server that collects the forwarded events, and it is usually referred to as a Windows Event Collector (WEC). The collector mode is also a built-in feature in Windows.

Windows Event Forwarding features

Windows Event Forwarding provides administrators with a broad scope of how they can implement this type of logging in their network.

WEF can be configured for source-initiated (push) or subscriber-initiated (pull) mode. With the subscriber-initiated mode, the only setup required is to enable WinRM on the client machines that need to be monitored.

Before log transmission, Windows Event Forwarding converts logs into a rendered XML format. Administrators can choose to have these logs forwarded with or without localized strings attached to the message to allow for more compact transmissions. By default WEF works with pre-rendering so that the logs are fully formatted on the forwarder.

Administrators can also choose between different methods of secure transmission, such as the default option for Kerberos with a fallback option to NTLM. If the subscriber cannot be joined in the domain and Kerberos is not an option, HTTPS is also available with certificate-based authentication.

Limitations presented by Windows Event Forwarding

Despite the advantages that have been listed, WEF has some limitations. However, don’t let these limitations set you back. Let’s look at some of the disadvantages and how they can be solved.

Unsurprisingly, WEF only works with Windows systems

WEF only works with Windows systems and this can be problematic if you work with or find yourself migrating to hybrid server environments. Systems other than Windows cannot forward their logs to a Windows Event Collector. WEF is completely different than and incompatible with other log forwarding protocols such as syslog.

Centralized logging is still an environment to aspire to and it is completely possible to support WEF in a hybrid server environment. Since WEF is only supported by Windows, it is not possible to forward Windows Event Log via WEF to a non-Windows based server. However, the NXLog Enterprise Edition offers a solution with the im_wseventing module that allows you to set up NXLog as a Windows Event Collector and to do so even on the Linux platform. This can be compelling to users looking to centralize logs from hybrid environments since NXLog allows the collection of both WEF and syslog based logs with a single tool when an agent-based setup is not an option.

WEF is complex and fairly resource intensive

Windows Event Forwarding is based on the WS-Management standard and uses the Windows Remote Management (WinRM) service on Windows to forward events to a Windows Event Collector. WS-Management and thus WinRM are based on SOAP, which is an XML-based communication protocol. Serializing Windows Event Log into XML and shipping it via WinRM requires some resources.

If you are planning to forward Windows Event Log from systems producing a large amount of logs, it’s worth considering an agent-based setup. Some Windows servers, especially domain controllers, can generate a lot of logs. The log volume can be significant even if filtering is enabled to collect only a subset of the data, such as the Security log. Using NXLog as an agent to collect Windows Event Log with the im_msvistalog module should keep up with the volume that WEF may not be able to handle.

Some log collector solutions advertise WEC capabilities when in reality they only collect data from Forwarded Events and utilize the built-in WEC service in Windows that stores events in that location. This can be non-ideal for several reasons. First, it is Windows-only, so you need a Windows server acting as the WEC. Second, the data is first written into the Windows Event Log by the WEC service and then needs to be read out by the collector to ship it to the destination of choice. This puts the disk and CPU unnecessarily to work and is a waste of resources. The NXLog Enterprise Edition can be configured as a WEC to run natively on all supported platforms, including on Linux or even in light-weight containers. This can save a lot of resources to begin with considering the basic OS requirements of a Windows server.

No forwarding available for events outside Windows Event Log

Windows Event Forwarding only works with the Windows Event Log. It cannot forward events that are not stored in the Windows Event Log. Using a centralized log collection system that can recognize and parse a far greater variety of logs, including logs from custom software and other protocols, is recommended.

While the Windows Event viewer is able to show Analytic and Debug channels, this data is handled through the Windows Event Tracing (ETW) subsystem that WEF cannot deal with. Logs stored in files or in MSSQL are also out-of-reach for WEF. If you are planning to capture and forward such data, of which the Windows DNS server logs are a good example, then it is highly recommended to consider an agent-based approach.

The NXLog Enterprise Edition natively supports ETW log collection, can parse and collect a wide variety of formats from files, is able to pull data from ODBC compliant databases, and offers many other types of collection versus what WEF can provide.

How to go beyond Windows Event Forwarding

We encourage administrators to not only make the most of Windows Event Forwarding, but to also go beyond and consider other log formats and sources. With the NXLog Enterprise Edition, you can set up logging that supports not only the Windows Event Log but many more data sources on the Windows platform. In addition, it can also be configured to parse log data; to convert Windows Event Log to syslog, JSON, and other formats; and to forward events directly to most popular SIEM products.

Enterprises, service providers, and MSSPs using NXLog will have no need for a Windows-based WEC server as a WEC can be set up on Linux. Whether you are new to WEF or seeking to expand your current Windows logging system capabilities, there is something for you with NXLog.

If you are interested in testing out the capabilities of the NXLog Enterprise Edition, you can download a trial or contact us with a question. Our User Guide also has many configuration examples that are ready for use.

GET STARTED TODAY:
CONTACT US Our experts are happy to help REQUEST A FREE TRIAL Give NXLog Enterprise Edition a try GET PRICING Request a quote

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.

  • centralized logging
  • windows event forwarding
  • wef
Share

Facebook Twitter LinkedIn Reddit Mail

Stay connected:

Sign up

Keep up to date with our weekly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2023 NXLog Ltd.

PRIVACY POLICY TERMS OF USE

  • PRODUCTS

  • NXLOG ENTERPRISE EDITION
  • NXLOG COMMUNITY EDITION
  • NXLOG ADD-ONS
  • NXLOG MANAGER
  • NXLOG MINDER
  • RAIJIN DATABASE
  • MORE NXLOG

  • COMPARE SOLUTIONS
  • INDUSTRIES
  • INTERGRATIONS
  • FIND A RESELLER
  • PARTNER PROGRAM
  • RESOURCES

  • DOCUMENTATION
  • WHITE PAPERS
  • WEBINARS
  • TUTORIALS
  • BLOG
  • COMMUNITY FORUM
  • ABOUT US

  • WHY NXLOG
  • CUSTOMERS
  • CAREERS
  • CONTACT US
  • DOWNLOADS

  • NXLOG ENTERPRISE EDITION
  • NXLOG COMMUNITY EDITION
  • NXLOG MINDER
  • NXLOG MANAGER
  • NXLOG ADD-ONS
  • RAIJIN DATABASE