Using WEC to forward logs

WEC to OnePlatform via DataStreamer

Challenges to be aware of:

  • Reliability and "Silent Failures" - The most significant fear is the stalled subscription. WEC can occasionally stop forwarding events without throwing an error.

  • Scalability and Resource "Bloat" - WEC does not scale linearly. Many admins find that as they add more endpoints, the collector's memory usage spikes or the registry becomes unmanageable.

  • Noise vs. Visibility (The XPath Struggle) - Filtering at the source is critical. If you collect everything, you’ll crush your SIEM budget and your network bandwidth; if you collect too little, you miss the "lateral movement" indicators.

  • Permissions and WinRM Headaches - Getting the initial handshake to work—and stay working—is a constant struggle, especially with the NETWORK SERVICE permissions required for the Security Log.

Phase 1: Building a Production WEC Infrastructure

Prerequisites

  • Windows Server 2019/2022 (Dedicated, not domain controller)

  • 50GB+ storage for event logs (calculate: 500 endpoints × 500 events/day × 512 bytes = ~125MB/day)

  • Domain membership (for certificate auto-enrollment or Kerberos)

  • Firewall rules: TCP/5985 (HTTP) or TCP/5986 (HTTPS) inbound from all forwarding computers

Step 1: Deploy WEC Role

Step 2: Configure SSL Certificate (Production MUST)

Step 3: Configure Group Policy for Forwarding Computers

Create WEC-Client-Settings GPO:

Computer Configuration → Policies → Administrative Templates → Windows Components → Event Forwarding:

Computer Configuration → Windows Settings → Security Settings → System Services:

Step 4: Create Optimized Subscriptions (The Critical Part)

Step 5: Create Forwarding Groups Using Security Groups

Step 6: Validate Forwarding


Phase 2: LogShipper as WEC to DataStreamer -> OnePlatform

Architecture Overview

Installation & Configuration

Step 1: Install LogForwarder on WEC Server

See Windows Log forwarder Installation here.

Step 2: Create Production Configuration

Step 3: Optimize Windows Event Log for BluLogShipper Reading

Step 4: Create Performance Tuning Script

Troubleshooting Matrix

Symptom
Diagnosis
Fix

Events delayed 10+ minutes

wecutil gr shows backlog

Increase MaxItems to 10000, reduce MaxLatencyTime to 30

BluLogShipper memory leak

Missing Buffer_Max_Size

Set Buffer_Max_Size 50M and enable Storage.Checksum

Duplicate events to SIEM

Read_Existing_Events = true

Set Read_Existing_Events false in winlog input

WEC certificate errors

Check Event ID 100 (WEC-Client)

Deploy cert via GPO, validate winrm get winrm/config

SIEM connection resets

TCP keepalive too short

Set net.keepalive On and net.keepalive_idle 300

Security Hardening

Performance Baseline (5000 endpoints)

Metric
Target
Alert Threshold

Events/second processed

15,000

< 5,000 for 5 min

BluLogShipper CPU usage

< 15%

> 40% sustained

Memory usage

< 500MB

> 1.5GB

WEC subscription latency

< 60 sec

> 300 sec

Disk queue length

< 0.5

> 2 for 10 min

Disaster Recovery

This implementation provides enterprise-grade reliability, filtering efficiency, and observability. The key is filtering at both WEC (XPath) and BluLogShipper to reduce SIEM ingestion costs by 70-90% compared to forwarding everything.

Last updated