> For the complete documentation index, see [llms.txt](https://docs.blusapphire.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.blusapphire.io/log-forwarding/03_log-forwarding-guide/log-forward/microsoft/using-wec-to-forward-logs.md).

# Using WEC to forward logs

## WEC to OnePlatform via DataStreamer

### Challenges to be aware of:

* **Reliability and "Silent Failures" -** The most significant fear is the **stalled subscription**. WEC can occasionally stop forwarding events without throwing an error.

* **Scalability and Resource "Bloat" -** WEC does not scale linearly. Many admins find that as they add more endpoints, the collector's memory usage spikes or the registry becomes unmanageable.

* **Noise vs. Visibility (The XPath Struggle) -** Filtering at the source is critical. If you collect everything, you’ll crush your SIEM budget and your network bandwidth; if you collect too little, you miss the "lateral movement" indicators.

* **Permissions and WinRM Headaches -** Getting the initial handshake to work—and stay working—is a constant struggle, especially with the NETWORK SERVICE permissions required for the Security Log.

### Phase 1: Building a Production WEC Infrastructure

#### Prerequisites

* **Windows Server 2019/2022** (Dedicated, not domain controller)
* **50GB+ storage** for event logs (calculate: 500 endpoints × 500 events/day × 512 bytes = \~125MB/day)
* **Domain membership** (for certificate auto-enrollment or Kerberos)
* **Firewall rules:** TCP/5985 (HTTP) or TCP/5986 (HTTPS) inbound from all forwarding computers

#### Step 1: Deploy WEC Role

```powershell
# On Windows Server (run as Administrator)
Install-WindowsFeature -Name WecServer -IncludeManagementTools

# Configure maximum event delivery queue (critical for high volume)
wecutil es-config /ms:5000

# Start the Event Collector service
Start-Service Wecsvc
Set-Service Wecsvc -StartupType Automatic
```

#### Step 2: Configure SSL Certificate (Production MUST)

```powershell
# Request certificate from internal CA
$cert = Get-Certificate -Template WebServer -DnsName "weccollector.corp.local" -CertStoreLocation cert:\LocalMachine\My

# Bind certificate to HTTP/HTTPS
netsh http delete sslcert ipport=0.0.0.0:5986
netsh http add sslcert ipport=0.0.0.0:5986 certhash=$($cert.Thumbprint) appid="{00000000-0000-0000-0000-000000000000}"
```

#### Step 3: Configure Group Policy for Forwarding Computers

Create **WEC-Client-Settings** GPO:

**Computer Configuration → Policies → Administrative Templates → Windows Components → Event Forwarding:**

```
Configure target Subscription Manager:
Value: Server=https://weccollector.corp.local:5986/wsman/SubscriptionManager/WEC, Refresh=60

Set "Enable Event Forwarding" = Enabled
Set "Heartbeat Interval" = 30 minutes
```

**Computer Configuration → Windows Settings → Security Settings → System Services:**

```
Windows Event Log (EventLog): Startup = Automatic
Windows Remote Management (WS-Management): Startup = Automatic
```

#### Step 4: Create Optimized Subscriptions (The Critical Part)

```powershell
# Create Subscription Configuration File (security-subscription.xml)
@"
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>Security-Essentials</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Critical security events only - filtered</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Custom</ConfigurationMode>
    <Delivery Mode="Push">
        <Batching>
            <MaxItems>5000</MaxItems>
            <MaxLatencyTime>60</MaxLatencyTime>
        </Batching>
        <PushSettings>
            <Heartbeat Interval="1800000" />
        </PushSettings>
    </Delivery>
    <Query>
        <![CDATA[
            <QueryList>
                <Query Id="0" Path="Security">
                    <!-- Authentication events -->
                    <Select Path="Security">
                        *[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4648 or EventID=4672 or EventID=4776)]]
                    </Select>
                    <!-- Process creation (requires audit process tracking) -->
                    <Select Path="Security">
                        *[System[EventID=4688]] and *[EventData[Data[@Name='ProcessName']!='C:\Windows\System32\svchost.exe']]
                    </Select>
                    <!-- Group membership changes -->
                    <Select Path="Security">
                        *[System[(EventID=4728 or EventID=4729 or EventID=4732 or EventID=4756)]]
                    </Select>
                    <!-- Suppress noise -->
                    <Suppress Path="Security">
                        *[System[EventID=4634]] or
                        *[System[EventID=4689]] or
                        *[System[EventID=5140]] or
                        *[System[EventID=5145]]
                    </Suppress>
                </Query>
            </QueryList>
        ]]>
    </Query>
    <ReadExistingEvents>false</ReadExistingEvents>
    <TransportName>http</TransportName>
    <ContentFormat>RenderedText</ContentFormat>
    <LogFile>ForwardedEvents</LogFile>
    <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
    <AllowedSourceDomainComputers>O:CGAGD:(A;;GA;;;DC)(A;;GA;;;AC)</AllowedSourceDomainComputers>
</Subscription>
"@ | Out-File -FilePath "C:\WEC\security-subscription.xml" -Encoding UTF8

# Create subscription
wecutil cs C:\WEC\security-subscription.xml /f

# Create Sysmon subscription (if deployed)
# ... similar pattern with Sysmon event IDs
```

#### Step 5: Create Forwarding Groups Using Security Groups

```powershell
# Create AD security groups for different log types
# - WEC_High_Security (Domain Controllers, sensitive servers)
# - WEC_Standard (All workstations)
# - WEC_Sysmon (Systems with Sysmon installed)

# Update subscription allowed computers
wecutil ss Security-Essentials /rf:"O:NSG:WEC_High_Security" /uf:"O:NSG:WEC_Standard"
```

#### Step 6: Validate Forwarding

```powershell
# On collector - check subscription status
wecutil gr Security-Essentials

# On forwarding computer - test connectivity
Test-WSMan -ComputerName weccollector.corp.local -Authentication Negotiate

# Forwarding computer - check if subscription applied
wecutil es
Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 10
```

***

### Phase 2: LogShipper as WEC to DataStreamer -> OnePlatform

#### Architecture Overview

```
WEC Collector → LogShipper (Windows Service) → DataStreamer -> OnePlatform
                                                    ↓
                                        [Parsing/Filtering/Enrichment]
```

#### Installation & Configuration

**Step 1: Install LogForwarder on WEC Server**

**See Windows Log forwarder Installation** [**here**](/m-soc/m-soc_self-service-portal/windows-package-installation.md)**.**

**Step 2: Create Production Configuration**&#x20;

```ini
[SERVICE]
    # Performance tuning for WEC workloads
    Flush                     1
    Daemon                    Off
    Log_Level                 info
    Log_File                  <BluLogShipperHome>\blulogshipper.log
    Parsers_File              parsers.conf
    HTTP_Server               On
    HTTP_Listen               0.0.0.0
    HTTP_Port                 2020
    
    # Buffer management (critical for cloud forwarding)
    Buffer_Max_Size           50M
    Grace                     30
    Storage.Path              <BluLogShipperHome>\storage
    Storage.Sync              normal
    Storage.Checksum          On
    Storage.Max_Chunks_Up     128

[INPUT]
    # Read Windows ForwardedEvents log (where WEC writes)
    Name                      winlog
    Channels                  ForwardedEvents
    Interval_Sec              1
    Read_Existing_Events      false
    Buffer_Size               2MB
    Tag                       wec.events

[FILTER]
    # Remove noise events before sending to cloud
    Name                      grep
    Match                     wec.events
    Exclude                   $EventID ^(0|7036|10000|20000)$

[FILTER]
    # Add metadata for cloud routing
    Name                      modify
    Match                     wec.events
    Add                       source_wec_server %HOSTNAME%
    Add                       environment production
    Add                       collector_target DataStreamer
    Add                       facility windows_event_forwarding

[OUTPUT]
    # Forward to DataStreamer using BluLogShhipper Forward protocol
    Name                      forward
    Match                     wec.events
    Host                      <DataStreamer Hostname>
    Port                      2049
    tls                       On
    tls.verify                Off
    tls.ca_file               <BluLogShipperHomePath>\certs\ca.pem
    
    # Compression for bandwidth savings
    compress                  gzip
    
    # Retry and reliability
    retry_limit               5
    net.keepalive             On
    net.keepalive_idle        30
    net.keepalive_interval    5
    
    # Buffer when cloud is unreachable
    storage.total_limit_size  1G
```

**Step 3: Optimize Windows Event Log for BluLogShipper Reading**

```powershell
# Increase ForwardedEvents log size (default 1MB is too small)
wevtutil sl ForwardedEvents /ms:1073741824  # 1GB max size
wevtutil sl ForwardedEvents /rt:true        # Retain events

# Configure circular logging to prevent filling disk
wevtutil sl ForwardedEvents /rt:true /ab:false
```

**Step 4: Create Performance Tuning Script**

```powershell
# Optimize Windows for high-throughput event forwarding

# Increase network buffer for WinRM/Event Forwarding
netsh int tcp set global autotuninglevel=normal

# Disable Nagle's algorithm for WinRM
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN" -Name "DisableNagle" -Value 1 -Type DWord

# Increase BluLogShipper process priority
$logshipper = Get-Process -Name blulogshipper -ErrorAction SilentlyContinue
if ($logshipper) {
    $logshipper.PriorityClass = [System.Diagnostics.ProcessPriorityClass]::High
}

# Set BluLogShipper service recovery actions
sc.exe failure blulogshipper reset=86400 actions=restart/1000/restart/5000/restart/10000

# Add BluLogShipper to Windows Defender exclusions
Add-MpPreference -ExclusionPath "<BluLogShipperHomePath>"
Add-MpPreference -ExclusionProcess "blulogshipper.exe"
```

#### Troubleshooting Matrix

| Symptom                    | Diagnosis                       | Fix                                                         |
| -------------------------- | ------------------------------- | ----------------------------------------------------------- |
| Events delayed 10+ minutes | `wecutil gr` shows backlog      | Increase `MaxItems` to 10000, reduce `MaxLatencyTime` to 30 |
| BluLogShipper memory leak  | Missing `Buffer_Max_Size`       | Set `Buffer_Max_Size 50M` and enable `Storage.Checksum`     |
| Duplicate events to SIEM   | Read\_Existing\_Events = true   | Set `Read_Existing_Events false` in winlog input            |
| WEC certificate errors     | Check Event ID 100 (WEC-Client) | Deploy cert via GPO, validate `winrm get winrm/config`      |
| SIEM connection resets     | TCP keepalive too short         | Set `net.keepalive On` and `net.keepalive_idle 300`         |

#### Security Hardening

```powershell
# Restrict BluLogShipper configuration access
icacls "<BluLogShipperHomePath>\blulogshipper.conf" /inheritance:r
icacls "<BluLogShipperHomePath>\blulogshipper.conf" /grant:r "SYSTEM:(R,W)"
icacls "<BluLogShipperHomePath>\blulogshipper.conf" /grant:r "Administrators:(R)"

# Run service as Managed Service Account (gMSA)
$msa = "<managedserviceaccount>"
sc.exe config blulogshipper obj="$msa" password=""

# Enable TLS mutual auth for output
[OUTPUT]
    Name http
    tls On
    tls.verify Off
    tls.ca_file C:\certs\ca.pem
    tls.crt_file C:\certs\client.crt
    tls.key_file C:\certs\client.key
```

#### Performance Baseline (5000 endpoints)

| Metric                   | Target   | Alert Threshold   |
| ------------------------ | -------- | ----------------- |
| Events/second processed  | 15,000   | < 5,000 for 5 min |
| BluLogShipper CPU usage  | < 15%    | > 40% sustained   |
| Memory usage             | < 500MB  | > 1.5GB           |
| WEC subscription latency | < 60 sec | > 300 sec         |
| Disk queue length        | < 0.5    | > 2 for 10 min    |

#### Disaster Recovery

```powershell
# Backup WEC configuration weekly
wecutil es /f:wec_subscriptions.xml
wevtutil epl ForwardedEvents wec_backup.evtx /ow:true
```

This implementation provides enterprise-grade reliability, filtering efficiency, and observability. The key is **filtering at both WEC (XPath) and BluLogShipper** to reduce SIEM ingestion costs by 70-90% compared to forwarding everything.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.blusapphire.io/log-forwarding/03_log-forwarding-guide/log-forward/microsoft/using-wec-to-forward-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.