News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
December 17, 2018 windowsstrategy

Making the most of Windows Event Forwarding for centralized log collection

By Arielle Bonnici

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.

Advantages to Windows Event Forwarding for centralized log collection

Logging with Windows Event Forwarding is better than being in the dark

Despite the importance of centralized logging, not all enterprise environments on the Windows platform make the most of Windows Event Forwarding. It is a key part of security infrastructure and is already natively supported. With no Event Forwarding set up, administrators are left in the dark regarding what is occurring in their system logs. And even with logging set up, administrators are faced with the challenges of keeping up with a never-ending stream of system logs while trying to filter out events to analyze for potential problems, patterns, and more. Therefore, if you are given the choice of either localized logging or centralized logging using WEF, Event Forwarding is definitely better than no centralized collection at all.

WEF, a built-in solution

Windows Event Forwarding comes out-of-the-box on Windows systems so that administrators do not need to worry about dependencies or installation of third-party software.

WEF is a subscription-based service where the event subscriber can request certain types of events to be forwarded. The WEF subscription normally includes XML event queries for selecting events. Depending on the query, the subscription can be set up to collect events for different purposes. A targeted WEF subscription involves collecting events from a set of targeted hosts which are deemed suspicious. With baseline logging, events are collected from all hosts since this subscription will enroll all devices in the organization.

The subscriber is normally a server that collects the forwarded events, and it is usually referred to as a Windows Event Collector (WEC). The collector mode is also a built-in feature in Windows.

Windows Event Forwarding features

Windows Event Forwarding provides administrators with a broad scope of how they can implement this type of logging in their network.

WEF can be configured for source-initiated (push) or subscriber-initiated (pull) mode. With the subscriber-initiated mode, the only setup required is to enable WinRM on the client machines that need to be monitored.

Before log transmission, Windows Event Forwarding converts logs into a rendered XML format. Administrators can choose to have these logs forwarded with or without localized strings attached to the message to allow for more compact transmissions. By default WEF works with pre-rendering so that the logs are fully formatted on the forwarder.

Administrators can also choose between different methods of secure transmission, such as the default option for Kerberos with a fallback option to NTLM. If the subscriber cannot be joined in the domain and Kerberos is not an option, HTTPS is also available with certificate-based authentication.

Limitations presented by Windows Event Forwarding

Despite the advantages that have been listed, WEF has some limitations. However, don’t let these limitations set you back. Let’s look at some of the disadvantages and how they can be solved.

Unsurprisingly, WEF only works with Windows systems

WEF only works with Windows systems and this can be problematic if you work with or find yourself migrating to hybrid server environments. Systems other than Windows cannot forward their logs to a Windows Event Collector. WEF is completely different than and incompatible with other log forwarding protocols such as syslog.

Centralized logging is still an environment to aspire to and it is completely possible to support WEF in a hybrid server environment. Since WEF is only supported by Windows, it is not possible to forward Windows Event Log via WEF to a non-Windows based server. However, the NXLog Enterprise Edition offers a solution with the im_wseventing module that allows you to set up NXLog as a Windows Event Collector and to do so even on the Linux platform. This can be compelling to users looking to centralize logs from hybrid environments since NXLog allows the collection of both WEF and syslog based logs with a single tool when an agent-based setup is not an option.

WEF is complex and fairly resource intensive

Windows Event Forwarding is based on the WS-Management standard and uses the Windows Remote Management (WinRM) service on Windows to forward events to a Windows Event Collector. WS-Management and thus WinRM are based on SOAP, which is an XML-based communication protocol. Serializing Windows Event Log into XML and shipping it via WinRM requires some resources.

If you are planning to forward Windows Event Log from systems producing a large amount of logs, it’s worth considering an agent-based setup. Some Windows servers, especially domain controllers, can generate a lot of logs. The log volume can be significant even if filtering is enabled to collect only a subset of the data, such as the Security log. Using NXLog as an agent to collect Windows Event Log with the im_msvistalog module should keep up with the volume that WEF may not be able to handle.

Some log collector solutions advertise WEC capabilities when in reality they only collect data from Forwarded Events and utilize the built-in WEC service in Windows that stores events in that location. This can be non-ideal for several reasons. First, it is Windows-only, so you need a Windows server acting as the WEC. Second, the data is first written into the Windows Event Log by the WEC service and then needs to be read out by the collector to ship it to the destination of choice. This puts the disk and CPU unnecessarily to work and is a waste of resources. The NXLog Enterprise Edition can be configured as a WEC to run natively on all supported platforms, including on Linux or even in light-weight containers. This can save a lot of resources to begin with considering the basic OS requirements of a Windows server.

No forwarding available for events outside Windows Event Log

Windows Event Forwarding only works with the Windows Event Log. It cannot forward events that are not stored in the Windows Event Log. Using a centralized log collection system that can recognize and parse a far greater variety of logs, including logs from custom software and other protocols, is recommended.

While the Windows Event viewer is able to show Analytic and Debug channels, this data is handled through the Windows Event Tracing (ETW) subsystem that WEF cannot deal with. Logs stored in files or in MSSQL are also out-of-reach for WEF. If you are planning to capture and forward such data, of which the Windows DNS server logs are a good example, then it is highly recommended to consider an agent-based approach.

The NXLog Enterprise Edition natively supports ETW log collection, can parse and collect a wide variety of formats from files, is able to pull data from ODBC compliant databases, and offers many other types of collection versus what WEF can provide.

How to go beyond Windows Event Forwarding

We encourage administrators to not only make the most of Windows Event Forwarding, but to also go beyond and consider other log formats and sources. With the NXLog Enterprise Edition, you can set up logging that supports not only the Windows Event Log but many more data sources on the Windows platform. In addition, it can also be configured to parse log data; to convert Windows Event Log to syslog, JSON, and other formats; and to forward events directly to most popular SIEM products.

Enterprises, service providers, and MSSPs using NXLog will have no need for a Windows-based WEC server as a WEC can be set up on Linux. Whether you are new to WEF or seeking to expand your current Windows logging system capabilities, there is something for you with NXLog.

If you are interested in testing out the capabilities of the NXLog Enterprise Edition, you can download a trial or contact us with a question. Our User Guide also has many configuration examples that are ready for use.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • centralized logging
  • windows event forwarding
  • wef
Share

Facebook Twitter LinkedIn Reddit Mail

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us