0 agents
Third-party software required for WEF: uses native WinRM protocol built into all Windows versions since Vista/Server 2008
Source-initiated
Recommended WEF subscription mode: machines push their events to the WEC server, scales to thousands of endpoints without collector polling
XPath
Query language used for WEF event filters: same syntax as Windows Event Viewer custom views, lets you select specific Event IDs rather than forwarding all events
1 WEC server
Can handle approximately 2,000-5,000 endpoints depending on event volume and hardware: scale with additional WEC servers and load balancing for larger environments

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Every domain-joined Windows machine generates security events: logons, process creation, account changes: but by default they stay on the local machine and overwrite within hours or days. Windows Event Forwarding solves this by pushing selected events to a central collection server using only the WinRM protocol built into every modern Windows system.

Compared to installing SIEM agents on every endpoint, WEF is lightweight, uses no additional software, and is managed entirely through Group Policy. The trade-off is that it requires a Windows Event Collector server in your environment and the WEC's event store has limited analysis capability: WEF is best used as a collection layer that feeds into a SIEM or a separate analysis tool.

Step 1: Configure the Windows Event Collector (WEC) Server

The WEC server receives and stores forwarded events. It should be a dedicated Windows Server (not a domain controller: keep collection infrastructure separate from critical AD infrastructure).

# On the WEC server (run as Administrator)

# 1. Enable the Windows Event Collector service
wecutil qc -quiet  # Quick configure: enables the WEC service and sets it to auto-start

# 2. Verify the service is running
Get-Service -Name Wecsvc | Select-Object Status, StartType

# 3. Enable WinRM (required for receiving events)
winrm quickconfig -quiet

# 4. Add the WEC server's computer account to the Network Service group
# (or configure the WEF subscription to use a specific service account)
# The default configuration uses the Network Service account

# 5. Expand the Security event log size to handle volume
# Default is 20MB: increase for a log collector
wevtutil sl Security /ms:512000000  # 512MB
wevtutil sl "Forwarded Events" /ms:1073741824  # 1GB for the forwarded log
wevtutil sl "Forwarded Events" /rt:true  # Enable retention (don't overwrite)

WEC server sizing guide:

Endpoint countRecommended WEC specsForwarded Events log size
< 5002 vCPU, 4GB RAM10GB
500-2,0004 vCPU, 8GB RAM50GB
2,000-5,0008 vCPU, 16GB RAM, SSD200GB
> 5,000Multiple WEC serversShard by OU or subnet

Step 2: Configure Source Machines via GPO

Group Policy pushes WEF configuration to all domain-joined machines: they then contact the WEC server and subscribe to the event forwarding subscription.

Create a new GPO for WEF (apply to all machines or a target OU):

GPO Path 1: Allow WinRM for event forwarding:
Computer Configuration > Preferences > Control Panel Settings >
Services > Windows Remote Management (WS-Management)
  Startup type: Automatic
  Service action: Start

GPO Path 2: Configure the WEC server address:
Computer Configuration > Administrative Templates >
Windows Components > Event Forwarding >
"Configure the server address, refresh interval, and issuer certificate authority"
  Server address: Server=http://wec-server.corp.local:5985/wsman/SubscriptionManager/WEC,Refresh=60
  (Use https:// and port 5986 for encrypted transport: requires certificate configuration)

GPO Path 3: Add Network Service to Event Log Readers:
Computer Configuration > Windows Settings > Security Settings >
Restricted Groups
Add: NETWORK SERVICE as member of Event Log Readers
(Required so the WinRM listener can read Security logs, which require elevated access)

PowerShell to verify WEF configuration on a source machine:

# On any domain machine after GPO applies (gpupdate /force)
Get-WinEvent -LogName 'Microsoft-Windows-Forwarding/Operational' -MaxEvents 10
# Should show successful subscription events

# Check WinRM is running
Get-Service WinRM

# Check the subscription is active
wecutil gs *  # List subscriptions the machine is enrolled in
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Step 3: Create WEF Subscriptions with XPath Filters

Subscriptions define which events get forwarded. Use XPath filters to select only security-relevant events: forwarding everything is expensive and noisy.

Create a subscription on the WEC server:

<!-- Save as security-subscription.xml on the WEC server -->
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>Security-High-Value</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>High-value security events from all domain machines</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <ConfigurationMode>MinLatency</ConfigurationMode>
  <Delivery Mode="Push">
    <Batching>
      <MaxItems>100</MaxItems>
      <MaxLatencyTime>30000</MaxLatencyTime>  <!-- 30 seconds -->
    </Batching>
    <PushSettings>
      <Heartbeat Interval="3600000"/>  <!-- 1 hour heartbeat -->
    </PushSettings>
  </Delivery>
  <Query>
    <![CDATA[
    <QueryList>
      <Query Id="0">
        <!-- Security events: logon, logoff, process creation, account management -->
        <Select Path="Security">
          *[System[EventID=4624 or EventID=4625 or EventID=4634 or EventID=4648
                   or EventID=4662 or EventID=4672 or EventID=4688 or EventID=4698
                   or EventID=4702 or EventID=4720 or EventID=4726 or EventID=4728
                   or EventID=4732 or EventID=4740 or EventID=4756 or EventID=4768
                   or EventID=4769 or EventID=4776 or EventID=7045]]
        </Select>
        <!-- System events: new service, driver loaded -->
        <Select Path="System">
          *[System[EventID=7045 or EventID=7036 or EventID=7040]]
        </Select>
        <!-- PowerShell Script Block Logging -->
        <Select Path="Microsoft-Windows-PowerShell/Operational">
          *[System[EventID=4104]]
        </Select>
        <!-- Sysmon (if deployed) -->
        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
        <!-- WMI activity -->
        <Select Path="Microsoft-Windows-WMI-Activity/Operational">
          *[System[EventID=5857 or EventID=5858 or EventID=5859 or EventID=5860 or EventID=5861]]
        </Select>
      </Query>
    </QueryList>
    ]]>
  </Query>
  <ReadExistingEvents>false</ReadExistingEvents>
  <TransportName>HTTP</TransportName>
  <ContentFormat>RenderedText</ContentFormat>
  <Locale Language="en-US"/>
  <LogFile>ForwardedEvents</LogFile>
  <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
</Subscription>
# Create the subscription on the WEC server
wecutil cs C:\subscriptions\security-subscription.xml

# Verify the subscription is active
wecutil gs Security-High-Value

# Check subscription runtime status
wecutil gr Security-High-Value
# Shows: number of active sources, last error, etc.

NSA/Palantir recommended subscription sets: The NSA and Palantir have published WEF subscription files optimized for security monitoring at:

These include pre-built XPath queries for the most security-relevant event categories, organized into baseline, verbose, and custom tiers.

Step 4: Forward WEC Events to a SIEM

The WEC server's 'Forwarded Events' log can be read by any log shipper and forwarded to your SIEM.

Option 1: Winlogbeat (Elastic Stack)

# winlogbeat.yml on the WEC server
winlogbeat.event_logs:
  - name: ForwardedEvents
    ignore_older: 72h
    event_id: 4624, 4625, 4648, 4662, 4688, 4720, 4728, 4740, 4769
    processors:
    - add_fields:
        target: ''
        fields:
          source_type: wef_collected

output.elasticsearch:
  hosts: ["https://elasticsearch:9200"]
  index: "wef-security-%{+yyyy.MM.dd}"

Option 2: NXLog (flexible, multi-destination)

<!-- nxlog.conf on the WEC server -->
<Input in_wef>
  Module im_msvistalog
  Query <QueryList><Query Id='0'><Select Path='ForwardedEvents'>*</Select></Query></QueryList>
</Input>

<Output out_syslog>
  Module om_udp
  Host 10.0.1.50
  Port 514
  Exec to_syslog_bsd();
</Output>

<Route route1>
  Path in_wef => out_syslog
</Route>

Option 3: Microsoft Sentinel (Azure Monitor Agent on WEC)

# Install Azure Monitor Agent on WEC server
# Configure Data Collection Rule in Azure portal:
# Monitor > Data Collection Rules > Create
# Source: Windows Event Logs > ForwardedEvents channel
# Destination: Log Analytics workspace

Verify end-to-end flow:

# On any domain machine, trigger a test event
Write-EventLog -LogName Security -Source 'WEF-Test' -EventId 4624 -Message 'WEF test event'

# On WEC server, verify the event arrived
Get-WinEvent -LogName 'ForwardedEvents' -MaxEvents 5 | Select-Object TimeCreated, Id, Message

# In SIEM, search for the test event: confirm it arrived within the MaxLatencyTime window

The bottom line

WEF collects Windows Security events from every domain machine using only WinRM: no agent software required. Configure source machines via GPO (enable WinRM, point to WEC server address), create SourceInitiated subscriptions on the WEC server with XPath filters selecting the high-value event IDs (4624, 4625, 4648, 4662, 4688, 4720, 4740, 4769, 7045), and forward the WEC's Forwarded Events log to your SIEM via Winlogbeat, NXLog, or Azure Monitor Agent. One WEC server handles 2,000-5,000 endpoints; scale with additional WECs for larger environments.

Frequently asked questions

What is Windows Event Forwarding (WEF)?

WEF is a native Windows capability that uses WinRM to forward selected event log entries from domain-joined machines to a central Windows Event Collector (WEC) server: without installing any agent software. It is configured entirely through Group Policy. Security teams use it to centralize Windows Security events (logons, process creation, account changes) from all endpoints to a single collection point for SIEM ingestion.

How do you configure Windows Event Forwarding?

Three steps: on the WEC server run 'wecutil qc' to enable the collector service and expand the Forwarded Events log size; apply a GPO to all domain machines enabling WinRM and pointing to the WEC server URL; create a SourceInitiated subscription on the WEC server with XPath filters for the event IDs you want to collect. Source machines then push matching events to the WEC automatically.

What events should Windows Event Forwarding collect?

A minimal high-value WEF subscription should collect: Security log events 4624/4625/4648 (authentication), 4688 with command-line (process creation), 4698/4702 (scheduled task creation/modification), 4719 (audit policy change), 4720/4726 (account creation/deletion), 4728/4732/4756 (group membership changes to privileged groups), and 7045 (service installation). Also collect Sysmon events from the Operational log (Event IDs 1, 3, 7, 10, 11) if Sysmon is deployed. Use NSA's WEF and WEC guidance (available on NSA GitHub) as a baseline subscription: it covers most detection use cases without overwhelming the WEC with low-value events.

What is the difference between Windows Event Forwarding and a SIEM agent?

WEF uses native Windows technology (WinRM and Windows Remote Management) to push events to a Windows Event Collector (WEC) server. It requires no additional software on endpoints, is built into all modern Windows versions, and generates low overhead. The WEC then forwards to your SIEM via a log shipper (Winlogbeat, NXLog, or a SIEM agent on the WEC server). A SIEM agent installed directly on each endpoint (Splunk UF, Elastic Agent, CrowdStrike Falcon LogScale) provides richer telemetry, real-time forwarding, and direct configuration from the SIEM console but requires agent deployment and management on every endpoint. WEF is the right choice for environments where agent deployment is not feasible or overhead is a concern; SIEM agents are better for environments requiring real-time streaming and richer host telemetry.

How do I scale Windows Event Forwarding across thousands of endpoints?

WEF architecture for large environments: deploy multiple WEC servers in a tiered architecture (one WEC per 2,000-4,000 endpoints is a common guideline), use DNS round-robin or a load balancer to distribute endpoint connections across WEC servers, and configure each WEC to forward to your SIEM in parallel. Increase the WEC server's Forwarded Events log size to at least 4GB to handle event bursts. Monitor WEC subscription health with the Eventviewer on the WEC: unhealthy subscriptions show a red X under Subscriptions. For very large environments (50,000+ endpoints), a dedicated Windows Event Forwarding architecture team and tooling (Microsoft Event Subscription tooling or third-party WEF management) may be needed.

How do I troubleshoot WEF subscriptions where source machines are not forwarding events?

Start on the source machine: run 'wecutil gs *' to list subscriptions the machine has enrolled in -- if empty, the GPO has not applied yet or WinRM is not running. Run 'winrm quickconfig' and 'gpupdate /force', then recheck. On the WEC server, run 'wecutil gr <SubscriptionName>' to see the runtime status including a per-source list of active sources, last heartbeat time, and any error codes. Error 0x138C means the source cannot reach the WEC server on port 5985 (check firewall rules). Error 0x2 means the WEC service account (Network Service) lacks permission to read the Security log on the source -- add Network Service to the Event Log Readers local group via the GPO's Restricted Groups setting. If the Forwarded Events log on the WEC is filling up and events are being dropped, increase the log size with 'wevtutil sl ForwardedEvents /ms:<bytes>' and verify the log is set to retain (not overwrite).

Sources & references

  1. Microsoft: Use Windows Event Forwarding to Help with Intrusion Detection
  2. NSA: WEF for Windows Security Monitoring
  3. Palantir: Windows Event Forwarding Guidance

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.