Using WEC to forward logs

WEC to OnePlatform via DataStreamer

Challenges to be aware of:

Reliability and "Silent Failures" - The most significant fear is the stalled subscription. WEC can occasionally stop forwarding events without throwing an error.
Scalability and Resource "Bloat" - WEC does not scale linearly. Many admins find that as they add more endpoints, the collector's memory usage spikes or the registry becomes unmanageable.
Noise vs. Visibility (The XPath Struggle) - Filtering at the source is critical. If you collect everything, you’ll crush your SIEM budget and your network bandwidth; if you collect too little, you miss the "lateral movement" indicators.
Permissions and WinRM Headaches - Getting the initial handshake to work—and stay working—is a constant struggle, especially with the NETWORK SERVICE permissions required for the Security Log.

Phase 1: Building a Production WEC Infrastructure

Prerequisites

Windows Server 2019/2022 (Dedicated, not domain controller)
50GB+ storage for event logs (calculate: 500 endpoints × 500 events/day × 512 bytes = ~125MB/day)
Domain membership (for certificate auto-enrollment or Kerberos)
Firewall rules: TCP/5985 (HTTP) or TCP/5986 (HTTPS) inbound from all forwarding computers

Step 1: Deploy WEC Role

# On Windows Server (run as Administrator)
Install-WindowsFeature -Name WecServer -IncludeManagementTools

# Configure maximum event delivery queue (critical for high volume)
wecutil es-config /ms:5000

# Start the Event Collector service
Start-Service Wecsvc
Set-Service Wecsvc -StartupType Automatic

Step 2: Configure SSL Certificate (Production MUST)

# Request certificate from internal CA
$cert = Get-Certificate -Template WebServer -DnsName "weccollector.corp.local" -CertStoreLocation cert:\LocalMachine\My

# Bind certificate to HTTP/HTTPS
netsh http delete sslcert ipport=0.0.0.0:5986
netsh http add sslcert ipport=0.0.0.0:5986 certhash=$($cert.Thumbprint) appid="{00000000-0000-0000-0000-000000000000}"

Step 3: Configure Group Policy for Forwarding Computers

Create WEC-Client-Settings GPO:

Computer Configuration → Policies → Administrative Templates → Windows Components → Event Forwarding:

Configure target Subscription Manager:
Value: Server=https://weccollector.corp.local:5986/wsman/SubscriptionManager/WEC, Refresh=60

Set "Enable Event Forwarding" = Enabled
Set "Heartbeat Interval" = 30 minutes

Computer Configuration → Windows Settings → Security Settings → System Services:

Windows Event Log (EventLog): Startup = Automatic
Windows Remote Management (WS-Management): Startup = Automatic

Step 4: Create Optimized Subscriptions (The Critical Part)

# Create Subscription Configuration File (security-subscription.xml)
@"
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>Security-Essentials</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Critical security events only - filtered</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Custom</ConfigurationMode>
    <Delivery Mode="Push">
        <Batching>
            <MaxItems>5000</MaxItems>
            <MaxLatencyTime>60</MaxLatencyTime>
        </Batching>
        <PushSettings>
            <Heartbeat Interval="1800000" />
        </PushSettings>
    </Delivery>
    <Query>
        <![CDATA[
            <QueryList>
                <Query Id="0" Path="Security">
                    <!-- Authentication events -->
                    <Select Path="Security">
                        *[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4648 or EventID=4672 or EventID=4776)]]
                    </Select>
                    <!-- Process creation (requires audit process tracking) -->
                    <Select Path="Security">
                        *[System[EventID=4688]] and *[EventData[Data[@Name='ProcessName']!='C:\Windows\System32\svchost.exe']]
                    </Select>
                    <!-- Group membership changes -->
                    <Select Path="Security">
                        *[System[(EventID=4728 or EventID=4729 or EventID=4732 or EventID=4756)]]
                    </Select>
                    <!-- Suppress noise -->
                    <Suppress Path="Security">
                        *[System[EventID=4634]] or
                        *[System[EventID=4689]] or
                        *[System[EventID=5140]] or
                        *[System[EventID=5145]]
                    </Suppress>
                </Query>
            </QueryList>
        ]]>
    </Query>
    <ReadExistingEvents>false</ReadExistingEvents>
    <TransportName>http</TransportName>
    <ContentFormat>RenderedText</ContentFormat>
    <LogFile>ForwardedEvents</LogFile>
    <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
    <AllowedSourceDomainComputers>O:CGAGD:(A;;GA;;;DC)(A;;GA;;;AC)</AllowedSourceDomainComputers>
</Subscription>
"@ | Out-File -FilePath "C:\WEC\security-subscription.xml" -Encoding UTF8

# Create subscription
wecutil cs C:\WEC\security-subscription.xml /f

# Create Sysmon subscription (if deployed)
# ... similar pattern with Sysmon event IDs

Step 5: Create Forwarding Groups Using Security Groups

# Create AD security groups for different log types
# - WEC_High_Security (Domain Controllers, sensitive servers)
# - WEC_Standard (All workstations)
# - WEC_Sysmon (Systems with Sysmon installed)

# Update subscription allowed computers
wecutil ss Security-Essentials /rf:"O:NSG:WEC_High_Security" /uf:"O:NSG:WEC_Standard"

Step 6: Validate Forwarding

# On collector - check subscription status
wecutil gr Security-Essentials

# On forwarding computer - test connectivity
Test-WSMan -ComputerName weccollector.corp.local -Authentication Negotiate

# Forwarding computer - check if subscription applied
wecutil es
Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 10

Phase 2: LogShipper as WEC to DataStreamer -> OnePlatform

Architecture Overview

WEC Collector → LogShipper (Windows Service) → DataStreamer -> OnePlatform
                                                    ↓
                                        [Parsing/Filtering/Enrichment]

Installation & Configuration

Step 1: Install LogForwarder on WEC Server

See Windows Log forwarder Installation here.

Step 2: Create Production Configuration

[SERVICE]
    # Performance tuning for WEC workloads
    Flush                     1
    Daemon                    Off
    Log_Level                 info
    Log_File                  <BluLogShipperHome>\blulogshipper.log
    Parsers_File              parsers.conf
    HTTP_Server               On
    HTTP_Listen               0.0.0.0
    HTTP_Port                 2020
    
    # Buffer management (critical for cloud forwarding)
    Buffer_Max_Size           50M
    Grace                     30
    Storage.Path              <BluLogShipperHome>\storage
    Storage.Sync              normal
    Storage.Checksum          On
    Storage.Max_Chunks_Up     128

[INPUT]
    # Read Windows ForwardedEvents log (where WEC writes)
    Name                      winlog
    Channels                  ForwardedEvents
    Interval_Sec              1
    Read_Existing_Events      false
    Buffer_Size               2MB
    Tag                       wec.events

[FILTER]
    # Remove noise events before sending to cloud
    Name                      grep
    Match                     wec.events
    Exclude                   $EventID ^(0|7036|10000|20000)$

[FILTER]
    # Add metadata for cloud routing
    Name                      modify
    Match                     wec.events
    Add                       source_wec_server %HOSTNAME%
    Add                       environment production
    Add                       collector_target DataStreamer
    Add                       facility windows_event_forwarding

[OUTPUT]
    # Forward to DataStreamer using BluLogShhipper Forward protocol
    Name                      forward
    Match                     wec.events
    Host                      <DataStreamer Hostname>
    Port                      2049
    tls                       On
    tls.verify                Off
    tls.ca_file               <BluLogShipperHomePath>\certs\ca.pem
    
    # Compression for bandwidth savings
    compress                  gzip
    
    # Retry and reliability
    retry_limit               5
    net.keepalive             On
    net.keepalive_idle        30
    net.keepalive_interval    5
    
    # Buffer when cloud is unreachable
    storage.total_limit_size  1G

Step 3: Optimize Windows Event Log for BluLogShipper Reading

# Increase ForwardedEvents log size (default 1MB is too small)
wevtutil sl ForwardedEvents /ms:1073741824  # 1GB max size
wevtutil sl ForwardedEvents /rt:true        # Retain events

# Configure circular logging to prevent filling disk
wevtutil sl ForwardedEvents /rt:true /ab:false

Step 4: Create Performance Tuning Script

# Optimize Windows for high-throughput event forwarding

# Increase network buffer for WinRM/Event Forwarding
netsh int tcp set global autotuninglevel=normal

# Disable Nagle's algorithm for WinRM
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN" -Name "DisableNagle" -Value 1 -Type DWord

# Increase BluLogShipper process priority
$logshipper = Get-Process -Name blulogshipper -ErrorAction SilentlyContinue
if ($logshipper) {
    $logshipper.PriorityClass = [System.Diagnostics.ProcessPriorityClass]::High
}

# Set BluLogShipper service recovery actions
sc.exe failure blulogshipper reset=86400 actions=restart/1000/restart/5000/restart/10000

# Add BluLogShipper to Windows Defender exclusions
Add-MpPreference -ExclusionPath "<BluLogShipperHomePath>"
Add-MpPreference -ExclusionProcess "blulogshipper.exe"

Troubleshooting Matrix

Symptom

Diagnosis

Fix

Events delayed 10+ minutes

wecutil gr shows backlog

Increase MaxItems to 10000, reduce MaxLatencyTime to 30

BluLogShipper memory leak

Missing Buffer_Max_Size

Set Buffer_Max_Size 50M and enable Storage.Checksum

Duplicate events to SIEM

Read_Existing_Events = true

Set Read_Existing_Events false in winlog input

WEC certificate errors

Check Event ID 100 (WEC-Client)

Deploy cert via GPO, validate winrm get winrm/config

SIEM connection resets

TCP keepalive too short

Set net.keepalive On and net.keepalive_idle 300

Security Hardening

# Restrict BluLogShipper configuration access
icacls "<BluLogShipperHomePath>\blulogshipper.conf" /inheritance:r
icacls "<BluLogShipperHomePath>\blulogshipper.conf" /grant:r "SYSTEM:(R,W)"
icacls "<BluLogShipperHomePath>\blulogshipper.conf" /grant:r "Administrators:(R)"

# Run service as Managed Service Account (gMSA)
$msa = "<managedserviceaccount>"
sc.exe config blulogshipper obj="$msa" password=""

# Enable TLS mutual auth for output
[OUTPUT]
    Name http
    tls On
    tls.verify Off
    tls.ca_file C:\certs\ca.pem
    tls.crt_file C:\certs\client.crt
    tls.key_file C:\certs\client.key

Performance Baseline (5000 endpoints)

Metric

Target

Alert Threshold

Events/second processed

15,000

< 5,000 for 5 min

BluLogShipper CPU usage

< 15%

> 40% sustained

Memory usage

< 500MB

> 1.5GB

WEC subscription latency

< 60 sec

> 300 sec

Disk queue length

< 0.5

> 2 for 10 min

Disaster Recovery

# Backup WEC configuration weekly
wecutil es /f:wec_subscriptions.xml
wevtutil epl ForwardedEvents wec_backup.evtx /ow:true

This implementation provides enterprise-grade reliability, filtering efficiency, and observability. The key is filtering at both WEC (XPath) and BluLogShipper to reduce SIEM ingestion costs by 70-90% compared to forwarding everything.

PreviousMicrosoft’s IIS Integration NextNetGear

Last updated 1 month ago