Setting up Windows Event Forwarder Server (WEF) (Domain) – GPO Deployment Part 3/3

Now that you have setup a Windows Event Forwarder collector + Sysmon subscriptions, you are now ready to collect these logs from your endpoint.

We will now create a group policy and deploy it to our systems.


  • Create computer OU for GPO deployment (WEF Deployment)

Creating GPO

Step 1: Create WinRM Service and set it to start automatically

Launch your group policy utility and perform the following:

  1. Right click your computer OU and
  2. Create GPO in this domain, and link it here
  3. Provide a name (WEF Deployment) , click OK
  4. Right click your newly created GPO WEF Deployment and select Edit
  5. Navigate to Computer Configuration > Preferences > Control Panel Settings > “New > Service”
    Startup: AutomaticService
    Name: WinRMService
    Action: Start service
    Click Apply

Step 2: Provide Event Log Reader Access

In this step we will add the Network Service & Event Forwarder Server (WindowsLogCollector) to the Event Log Readers and Groups. This will give our WEF server (WindowsLogCollector) access to your domain endpoint event logs.

  1. Right click your WEF Deployment GPO and select Edit
  2. Computer Configuration > Preferences > Control Panel Settings > right click > “New Group”
    Action: Update
    Group Name: Event Log Readers
    Apply > OK

Step 3: Adding WEF Server Subscription address
This will allow our endpoints to enroll to our WindowsLogCollector subscriptions.

  1. Right click your WEF Deployment GPO and select Edit
  2. Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager >
  3.  Set to EnableShow: Server=http://WindowsLogCollector.domain.COM:5985/wsman/SubscriptionManager/WEC

Click OK

Step 4: Allow Remote server Management through WinRM

  1. Right click your WEF Deployment GPO and select Edit
  2. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRMService > Allow Remote Server Management through WinRM
    Set: EnableiPv4 Filter: *   (or you may enter just the IP address of your WindowsLogCollector)
    IpV6 Filter: *  (you may uncheck this)


We are now done!

Go back to your WindowsLogCollector server and browse to the Event Viewer, you should see the endpoints start to register and logs under Fowarded Events.

(Note: This might take up to 90 min depending on how often our GPO refreshes. You may want to run gpupdate /force on your endpoints to refresh group policy and receive these changes immediately. Additionally, it may take up to 15 minutes for your endpoints to receive a subscription updates whenever you add or remove an event ID when creating Subscriptions. You may restart the Windows Remote Management (WS-Management) (WinRM) service to trigger the request to our WEF server and receive the update instantly).

Important Note: If you are collecting Security logs, once your endpoint gets the subscription settings, you will need to restart that particular endpoint so the permissions apply and allow you to collect security logs. Otherwise you will be frustrated about not receiving Security Event logs.

Additionally, since you want to collect all endpoint logs, it would be useful to deploy Sysmon to all of your endpoints as well, you may follow this guide on how to accomplish this.

Next steps are to setup Elasticsearch and ship these WEF logs there and visualize them in Kibana.

Let me know if you have any questions.


0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
5 years ago

What should I spec the Log Collector server for? How many CPU’s/RAM/Disk space etc. We would be using it as a pass-through, so are not worried about retention on the server itself.

5 years ago


First of all, thanks for your tutorials !

I have managed to forward my endpoints Applications logs but the Security ones won’t forward… Do you know why ?

4 years ago
Reply to  Pablo Delgado

No. I have the same issue (I am a different Nick) where I get the Application and System logs but not Security. I have restarted the endpoints.

4 years ago
Reply to  Nicolas

You need to set specific ACL on the channel.

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;s-1-5-20)