Overview of Windows Event Forwarding
Windows Event Forwarding (WEF) is a built-in Windows mechanism that allows events recorded in the Windows Event Log on one machine (the source) to be pushed or pulled to a central collection server (the collector). WEF operates over HTTPS using WS-Management (WinRM) as its transport protocol, meaning it uses port 5985 (HTTP) or 5986 (HTTPS) rather than a proprietary agent protocol. This makes WEF a lightweight, agentless approach to centralized log collection that works with any Windows machine in the domain without installing additional software.
WEF supports two subscription modes. In Collector Initiated mode, the collector server reaches out to each source machine and pulls events. The collector must have a list of source computer names, making this mode practical for smaller environments. In Source Initiated mode, each source machine pushes events to the collector defined by Group Policy. This mode scales to thousands of endpoints because the collector does not need to enumerate or contact each machine individually — it simply waits for sources to connect. Source Initiated mode is recommended for domain environments of any significant size.
WEF is valuable as a first layer of log centralization for organizations that do not yet have a full SIEM, and it also feeds well-structured Windows Event Log data into SIEM platforms like Splunk, Microsoft Sentinel, or Elastic SIEM. The NSA and CISA publish WEF subscription recommendations that define which event IDs are most critical to collect for threat detection.
Enabling WinRM on Source Computers
WEF uses WinRM as its transport layer. Before source computers can forward events, WinRM must be running and configured to allow connections from the collector. The quickest way to enable WinRM with default settings is:
winrm quickconfigThis command starts the WinRM service, sets it to automatic startup, creates an HTTP listener on port 5985, and adds a Windows Firewall exception. Confirm each prompt with y. For domain environments, enable WinRM via Group Policy to ensure it is applied to all servers and workstations consistently without requiring manual intervention:
# Group Policy path:
# Computer Configuration > Policies > Windows Settings > Security Settings > System Services
# Windows Remote Management (WS-Management): Set to Automatic
# Also configure via Group Policy Preferences or Administrative Templates:
# Computer Configuration > Administrative Templates > Windows Components >
# Windows Remote Management (WinRM) > WinRM Service
# Set "Allow remote server management through WinRM" to Enabled
# Specify allowed IP ranges in IPv4/IPv6 filter if desired (use * for any)Verify WinRM is listening after the policy applies:
winrm enumerate winrm/config/listenerYou should see output showing a listener on Transport = HTTP and Port = 5985. If you require encrypted transport (recommended), configure an HTTPS listener using a machine certificate:
# Create HTTPS listener using the machine's auto-enrolled certificate
$thumbprint = (Get-ChildItem Cert:LocalMachineMy |
Where-Object {$_.Subject -match $env:COMPUTERNAME}).Thumbprint
New-WSManInstance -ResourceURI winrm/config/Listener `
-SelectorSet @{Address="*"; Transport="HTTPS"} `
-ValueSet @{Hostname=$env:COMPUTERNAME; CertificateThumbprint=$thumbprint}Configuring the Event Collector Service
The Windows Event Collector service (wecsvc) must be running on the collector server. This service manages subscriptions and receives events from source computers. Configure and start it with:
# Run on the collector server from an elevated command prompt
wecutil qc
# The command will ask you to confirm starting the service — type Y
# It also sets the service to automatic startVerify the service is running:
Get-Service -Name "Wecsvc"
# Expected output:
# Status Name DisplayName
# ------ ---- -----------
# Running Wecsvc Windows Event CollectorThe collector server must also have the source computers’ machine accounts added to the local Event Log Readers group (for Collector Initiated mode), or the NETWORK SERVICE account on the collector must have read access to the forwarded events. For Source Initiated mode with domain computers, the source computers push events using their machine account credentials, so the collector automatically trusts domain-member sources.
For Source Initiated mode, add the domain computers’ group to the Event Log Readers group on the collector:
Add-LocalGroupMember -Group "Event Log Readers" -Member "Domain Computers"Creating a Subscription with wecutil
A WEF subscription is an XML file that defines which events to collect, how they are delivered, and where they go. Subscriptions are created on the collector server using wecutil cs (create subscription).
First, create the subscription XML file. This example collects Security, System, and Application events from all domain computers using Source Initiated mode:
WindowsSecurityEvents
SourceInitiated
Collect security-relevant events from domain computers
true
http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
Custom
500
30000
<![CDATA[
*
*[System[(Level=1 or Level=2 or Level=3)]]
*[System[(Level=1 or Level=2)]]
]]>
false
HTTP
RenderedText
ForwardedEvents
O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)
Save the file as C:WEFsubscriptionsSecurityEvents.xml, then create the subscription on the collector:
wecutil cs "C:WEFsubscriptionsSecurityEvents.xml"
# Verify the subscription was created
wecutil gs WindowsSecurityEvents
# List all subscriptions
wecutil esSource Initiated vs Collector Initiated Mode
The two subscription types have different configuration requirements and scale characteristics.
Source Initiated requires a Group Policy setting that tells source computers where to send events. Configure this in the GPO under Computer Configuration > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager:
# Group Policy setting value format:
Server=http://collector.corp.example.com:5985/wsman/SubscriptionManager/WEC,Refresh=60
# For HTTPS:
Server=https://collector.corp.example.com:5986/wsman/SubscriptionManager/WEC,Refresh=60,IssuerCA=The Refresh value (in seconds) controls how often sources check for updated subscription configurations. A value of 60 means sources poll every 60 seconds. Once this Group Policy is applied, sources will automatically register with the collector and begin forwarding events within one refresh cycle.
Collector Initiated does not use Group Policy on source computers. Instead, the subscription XML specifies the list of source computers explicitly:
Server01.corp.example.com
Server02.corp.example.com
Filtering Events with XPath Queries
Collecting all events from all sources generates enormous volume and makes the collected log difficult to search. The subscription XML’s <Query> section supports XPath 1.0 filter expressions that restrict which events are forwarded. This is essential for focusing collection on high-value security events.
To collect only specific Security event IDs relevant to threat detection (based on NSA/CISA recommendations):
<![CDATA[
*[System[
EventID=4624 or
EventID=4625 or
EventID=4634 or
EventID=4648 or
EventID=4672 or
EventID=4688 or
EventID=4697 or
EventID=4698 or
EventID=4699 or
EventID=4700 or
EventID=4701 or
EventID=4702 or
EventID=4719 or
EventID=4720 or
EventID=4722 or
EventID=4724 or
EventID=4728 or
EventID=4732 or
EventID=4735 or
EventID=4756 or
EventID=4776 or
EventID=5140 or
EventID=5145 or
EventID=7045
]]
*[System[EventID=7045 or EventID=7030 or EventID=104 or EventID=1102]]
*
]]>
These event IDs cover logon/logoff (4624, 4625, 4634), explicit credential use (4648), special privileges assigned (4672), process creation (4688), service installation (4697), scheduled task changes (4698–4702), audit policy changes (4719), account management (4720, 4722, 4724, 4728, 4732, 4735, 4756), NTLM authentication (4776), share access (5140, 5145), and new service installation (7045). Event 1102 is especially important — it records when the Security audit log is cleared, which is a common attacker anti-forensics technique.
Viewing Collected Events in Event Viewer
Forwarded events are stored in the Forwarded Events log on the collector server. Open Event Viewer (eventvwr.msc), expand Windows Logs, and click Forwarded Events. Each event record includes the original source computer name in the event XML, allowing you to trace events back to their origin even though they all appear in a single log.
To query forwarded events from the command line:
# List the 20 most recent forwarded Security events
wevtutil qe ForwardedEvents /c:20 /rd:true /f:text /q:"*[System[Channel='Security']]"
# Count events by source computer (PowerShell)
Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 1000 |
Group-Object -Property MachineName |
Sort-Object Count -Descending |
Select-Object Name, CountThe Forwarded Events log can also be configured to grow to a large maximum size and roll over automatically. Set this in Event Viewer by right-clicking Forwarded Events, choosing Properties, and setting the maximum log size and overflow behaviour, or via Group Policy or PowerShell:
wevtutil sl ForwardedEvents /ms:1073741824 # 1 GB maximum size
wevtutil sl ForwardedEvents /rt:false # Overwrite as needed (circular)Forwarding Collected Events to a SIEM
WEF is often combined with a SIEM forwarder that reads from the ForwardedEvents log and ships events to a central analytics platform. With Splunk, deploy the Universal Forwarder on the collector server and configure an inputs.conf that monitors the ForwardedEvents log:
[WinEventLog://ForwardedEvents]
disabled = 0
index = windows
evt_resolve_ad_obj = 1
checkpointInterval = 5
current_only = 0
start_from = oldestFor Microsoft Sentinel, use the Azure Monitor Agent (AMA) or Log Analytics Agent on the collector server, configured to collect the ForwardedEvents channel. The agent ships events directly to the Log Analytics workspace where Sentinel analytics rules can act on them. For Elastic SIEM, deploy the Winlogbeat agent on the collector and configure it to read from ForwardedEvents and forward to the Elasticsearch ingest endpoint.
Network Requirements and Scaling
WEF uses TCP port 5985 (HTTP) or 5986 (HTTPS) for all communication between sources and collector. Firewall rules must permit these ports from all source computers to the collector. For large environments, a single collector can handle approximately 1,000–2,000 source machines before throughput or CPU becomes a bottleneck. For larger fleets:
- Deploy multiple collector servers and balance load by configuring different sources to point to different collectors via Group Policy targeting (using GPO WMI filters or security filtering based on AD group membership).
- Use a tiered architecture: regional collectors aggregate events, which are then forwarded to a central SIEM. Each regional collector runs its own WEF subscriptions; the SIEM agents run only on the regional collectors.
- Size collector disk storage based on event volume. A typical server generates 50–200 MB per day in Security events; 1,000 servers could produce 50–200 GB per day before filtering. Apply XPath filters to reduce volume to the most actionable events.
# Check current subscription backlog and runtime status
wecutil gr WindowsSecurityEvents
# Check how many sources have connected to the subscription
wecutil gs WindowsSecurityEvents | findstr "NumberOfSources"Monitoring the health of WEF is important in production. Event ID 100 in the Microsoft-Windows-Eventlog-ForwardingPlugin/Operational log on source machines indicates a successful connection to the collector. Event ID 101 indicates a failure. Regularly review these events to ensure sources are forwarding reliably.
