How to Set Up Windows Event Forwarding (WEF) on Windows Server 2012 R2

How to Set Up Windows Event Forwarding (WEF) on Windows Server 2012 R2

Windows Event Forwarding (WEF) is a native Windows mechanism that allows you to centralize security events from dozens or hundreds of servers onto a dedicated collector server—without deploying an agent or purchasing additional software. WEF uses the WS-Management protocol (the same protocol underlying WinRM) to push or pull events from source computers to the collector. This guide covers configuring the collector server, setting up source computers via Group Policy, and creating event subscriptions to capture security-relevant events for a Windows Server 2012 R2 domain.

Prerequisites

• One dedicated Windows Server 2012 R2 machine to serve as the WEF Collector (minimum 4 GB RAM, SSD-backed storage recommended for high-volume environments)
• Source computers are domain-joined Windows servers running WinRM
• Domain Admin access to configure Group Policy and computer accounts
• The collector server’s computer account must be added to the Event Log Readers local group on source computers (handled automatically by WEF subscription)

Step 1: Configure the WEF Collector

On the designated collector server, open an elevated command prompt and run the Windows Event Collector configuration utility:

wecutil qc /quiet

This command enables the Windows Event Collector service, sets it to Automatic start, and configures the necessary HTTP listener. Verify the service is running:

Get-Service -Name Wecsvc

The service should show Running status. Also configure WinRM on the collector if not already done:

winrm quickconfig -quiet

Step 2: Configure Source Computers via Group Policy

Source computers need to be configured to:

1. Allow the collector to pull events (or push events to the collector)
2. Start the WinRM service
3. Grant the Network Service account read access to the Security log

Create a GPO named WEF-SourceComputers and link it to the OU containing your source servers.

Enable WinRM via Group Policy:

Navigate to Computer Configuration → Windows Settings → Security Settings → System Services → Windows Remote Management (WinRM) — set to Automatic.

Navigate to Computer Configuration → Administrative Templates → Windows Components → Windows Remote Management (WinRM) → WinRM Service and enable Allow remote server management through WinRM with the filter set to your network range (e.g., 10.0.0.*).

Configure the event subscription URL. Navigate to:

Computer Configuration → Administrative Templates → Windows Components → Event Forwarding → Configure the server address, refresh interval, and issuer certificate authority of a target subscription manager

Set the value to:

Server=http://WEFCOLLECTOR01.corp.example.com:5985/wsman/SubscriptionManager/WEC,Refresh=60

Grant Network Service read access to the Security log on all source machines via GPO:

Navigate to Computer Configuration → Windows Settings → Security Settings → Restricted Groups and add NETWORK SERVICE to the Event Log Readers local group.

Step 3: Create an Event Subscription on the Collector

An event subscription defines which events to collect, from which computers, and where to store them. Create a subscription XML file:

<!-- Save as C:WEFSecuritySubscription.xml -->
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>Security-Events</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>Collects security events from domain servers</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <ConfigurationMode>MinLatency</ConfigurationMode>
  <Delivery Mode="Push">
    <Batching>
      <MaxLatencyTime>30000</MaxLatencyTime>
    </Batching>
    <PushSettings>
      <Heartbeat Interval="3600000"/>
    </PushSettings>
  </Delivery>
  <Locale Language="en-US"/>
  <LogFile>ForwardedEvents</LogFile>
  <PublisherName></PublisherName>
  <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
  <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
  <Query>
    <![CDATA[
      <QueryList>
        <Query Id="0">
          <Select Path="Security">
            *[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4648
              or EventID=4656 or EventID=4663 or EventID=4688 or EventID=4697
              or EventID=4719 or EventID=4720 or EventID=4722 or EventID=4723
              or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4728
              or EventID=4732 or EventID=4740 or EventID=4756 or EventID=4776)]]
          </Select>
        </Query>
      </QueryList>
    ]]>
  </Query>
</Subscription>

Create the subscription from the XML:

mkdir C:WEF
# (Save the XML above to C:WEFSecuritySubscription.xml)
wecutil cs C:WEFSecuritySubscription.xml

Step 4: Verify Subscription Status

Check that the subscription was created and is active:

# List all subscriptions
wecutil es

# Get detailed status of a specific subscription
wecutil gs Security-Events

# Get runtime status including source computer connections
wecutil gr Security-Events

The runtime status will show each source computer’s connection state and the last heartbeat time. Sources showing Active are forwarding events successfully.

Step 5: Increase the ForwardedEvents Log Size

The default ForwardedEvents log on the collector is only 20 MB—far too small for a production WEF deployment. Increase it:

# Set log to 1 GB with circular (auto-overwrite) retention
wevtutil sl ForwardedEvents /ms:1073741824 /rt:true /ab:false

# Verify
wevtutil gl ForwardedEvents

For high-volume environments (50+ source computers), consider redirecting to a custom log file on a dedicated data volume:

wevtutil sl ForwardedEvents /lfn:D:EventLogsForwardedEvents.evtx

Step 6: Query Forwarded Events

Verify events are arriving from source computers:

# Count events in ForwardedEvents log
(Get-WinEvent -LogName ForwardedEvents -MaxEvents 1000).Count

# View recent logon events from all forwarded sources
Get-WinEvent -LogName ForwardedEvents -FilterXPath "*[System[EventID=4624]]" -MaxEvents 50 |
    Select-Object TimeCreated, Message | Format-List

Step 7: Automate Subscription Management

Use PowerShell to list source computer connection status for all subscriptions:

$subscriptions = wecutil es
foreach ($sub in $subscriptions) {
    Write-Host "=== Subscription: $sub ===" -ForegroundColor Cyan
    wecutil gr $sub
    Write-Host ""
}

Summary

Windows Event Forwarding provides agentless, centralized log collection for Windows Server 2012 R2 environments using native OS functionality. You have configured the WEF Collector service, deployed source computer settings via Group Policy, created a subscription targeting the most critical Security event IDs, and increased the log retention capacity. WEF integrates naturally with SIEM tools such as Splunk, Elastic, and Microsoft Sentinel—point your SIEM agent at the ForwardedEvents log on the collector to feed events into your security analytics pipeline without deploying agents on every source server.