How to Set Up Windows Event Forwarding (WEF) to Centralize Security Logs

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Every domain-joined Windows machine generates security events: logons, process creation, account changes: but by default they stay on the local machine and overwrite within hours or days. Windows Event Forwarding solves this by pushing selected events to a central collection server using only the WinRM protocol built into every modern Windows system.
Compared to installing SIEM agents on every endpoint, WEF is lightweight, uses no additional software, and is managed entirely through Group Policy. The trade-off is that it requires a Windows Event Collector server in your environment and the WEC's event store has limited analysis capability: WEF is best used as a collection layer that feeds into a SIEM or a separate analysis tool.
Step 1: Configure the Windows Event Collector (WEC) Server
The WEC server receives and stores forwarded events. It should be a dedicated Windows Server (not a domain controller: keep collection infrastructure separate from critical AD infrastructure).
# On the WEC server (run as Administrator)
# 1. Enable the Windows Event Collector service
wecutil qc -quiet # Quick configure: enables the WEC service and sets it to auto-start
# 2. Verify the service is running
Get-Service -Name Wecsvc | Select-Object Status, StartType
# 3. Enable WinRM (required for receiving events)
winrm quickconfig -quiet
# 4. Add the WEC server's computer account to the Network Service group
# (or configure the WEF subscription to use a specific service account)
# The default configuration uses the Network Service account
# 5. Expand the Security event log size to handle volume
# Default is 20MB: increase for a log collector
wevtutil sl Security /ms:512000000 # 512MB
wevtutil sl "Forwarded Events" /ms:1073741824 # 1GB for the forwarded log
wevtutil sl "Forwarded Events" /rt:true # Enable retention (don't overwrite)
WEC server sizing guide:
| Endpoint count | Recommended WEC specs | Forwarded Events log size |
|---|---|---|
| < 500 | 2 vCPU, 4GB RAM | 10GB |
| 500-2,000 | 4 vCPU, 8GB RAM | 50GB |
| 2,000-5,000 | 8 vCPU, 16GB RAM, SSD | 200GB |
| > 5,000 | Multiple WEC servers | Shard by OU or subnet |
Step 2: Configure Source Machines via GPO
Group Policy pushes WEF configuration to all domain-joined machines: they then contact the WEC server and subscribe to the event forwarding subscription.
Create a new GPO for WEF (apply to all machines or a target OU):
GPO Path 1: Allow WinRM for event forwarding:
Computer Configuration > Preferences > Control Panel Settings >
Services > Windows Remote Management (WS-Management)
Startup type: Automatic
Service action: Start
GPO Path 2: Configure the WEC server address:
Computer Configuration > Administrative Templates >
Windows Components > Event Forwarding >
"Configure the server address, refresh interval, and issuer certificate authority"
Server address: Server=http://wec-server.corp.local:5985/wsman/SubscriptionManager/WEC,Refresh=60
(Use https:// and port 5986 for encrypted transport: requires certificate configuration)
GPO Path 3: Add Network Service to Event Log Readers:
Computer Configuration > Windows Settings > Security Settings >
Restricted Groups
Add: NETWORK SERVICE as member of Event Log Readers
(Required so the WinRM listener can read Security logs, which require elevated access)
PowerShell to verify WEF configuration on a source machine:
# On any domain machine after GPO applies (gpupdate /force)
Get-WinEvent -LogName 'Microsoft-Windows-Forwarding/Operational' -MaxEvents 10
# Should show successful subscription events
# Check WinRM is running
Get-Service WinRM
# Check the subscription is active
wecutil gs * # List subscriptions the machine is enrolled in
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Step 3: Create WEF Subscriptions with XPath Filters
Subscriptions define which events get forwarded. Use XPath filters to select only security-relevant events: forwarding everything is expensive and noisy.
Create a subscription on the WEC server:
<!-- Save as security-subscription.xml on the WEC server -->
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>Security-High-Value</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>High-value security events from all domain machines</Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>MinLatency</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxItems>100</MaxItems>
<MaxLatencyTime>30000</MaxLatencyTime> <!-- 30 seconds -->
</Batching>
<PushSettings>
<Heartbeat Interval="3600000"/> <!-- 1 hour heartbeat -->
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList>
<Query Id="0">
<!-- Security events: logon, logoff, process creation, account management -->
<Select Path="Security">
*[System[EventID=4624 or EventID=4625 or EventID=4634 or EventID=4648
or EventID=4662 or EventID=4672 or EventID=4688 or EventID=4698
or EventID=4702 or EventID=4720 or EventID=4726 or EventID=4728
or EventID=4732 or EventID=4740 or EventID=4756 or EventID=4768
or EventID=4769 or EventID=4776 or EventID=7045]]
</Select>
<!-- System events: new service, driver loaded -->
<Select Path="System">
*[System[EventID=7045 or EventID=7036 or EventID=7040]]
</Select>
<!-- PowerShell Script Block Logging -->
<Select Path="Microsoft-Windows-PowerShell/Operational">
*[System[EventID=4104]]
</Select>
<!-- Sysmon (if deployed) -->
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
<!-- WMI activity -->
<Select Path="Microsoft-Windows-WMI-Activity/Operational">
*[System[EventID=5857 or EventID=5858 or EventID=5859 or EventID=5860 or EventID=5861]]
</Select>
</Query>
</QueryList>
]]>
</Query>
<ReadExistingEvents>false</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
</Subscription>
# Create the subscription on the WEC server
wecutil cs C:\subscriptions\security-subscription.xml
# Verify the subscription is active
wecutil gs Security-High-Value
# Check subscription runtime status
wecutil gr Security-High-Value
# Shows: number of active sources, last error, etc.
NSA/Palantir recommended subscription sets: The NSA and Palantir have published WEF subscription files optimized for security monitoring at:
- https://github.com/nsacyber/Event-Forwarding-Guidance
- https://github.com/palantir/windows-event-forwarding
These include pre-built XPath queries for the most security-relevant event categories, organized into baseline, verbose, and custom tiers.
Step 4: Forward WEC Events to a SIEM
The WEC server's 'Forwarded Events' log can be read by any log shipper and forwarded to your SIEM.
Option 1: Winlogbeat (Elastic Stack)
# winlogbeat.yml on the WEC server
winlogbeat.event_logs:
- name: ForwardedEvents
ignore_older: 72h
event_id: 4624, 4625, 4648, 4662, 4688, 4720, 4728, 4740, 4769
processors:
- add_fields:
target: ''
fields:
source_type: wef_collected
output.elasticsearch:
hosts: ["https://elasticsearch:9200"]
index: "wef-security-%{+yyyy.MM.dd}"
Option 2: NXLog (flexible, multi-destination)
<!-- nxlog.conf on the WEC server -->
<Input in_wef>
Module im_msvistalog
Query <QueryList><Query Id='0'><Select Path='ForwardedEvents'>*</Select></Query></QueryList>
</Input>
<Output out_syslog>
Module om_udp
Host 10.0.1.50
Port 514
Exec to_syslog_bsd();
</Output>
<Route route1>
Path in_wef => out_syslog
</Route>
Option 3: Microsoft Sentinel (Azure Monitor Agent on WEC)
# Install Azure Monitor Agent on WEC server
# Configure Data Collection Rule in Azure portal:
# Monitor > Data Collection Rules > Create
# Source: Windows Event Logs > ForwardedEvents channel
# Destination: Log Analytics workspace
Verify end-to-end flow:
# On any domain machine, trigger a test event
Write-EventLog -LogName Security -Source 'WEF-Test' -EventId 4624 -Message 'WEF test event'
# On WEC server, verify the event arrived
Get-WinEvent -LogName 'ForwardedEvents' -MaxEvents 5 | Select-Object TimeCreated, Id, Message
# In SIEM, search for the test event: confirm it arrived within the MaxLatencyTime window
The bottom line
WEF collects Windows Security events from every domain machine using only WinRM: no agent software required. Configure source machines via GPO (enable WinRM, point to WEC server address), create SourceInitiated subscriptions on the WEC server with XPath filters selecting the high-value event IDs (4624, 4625, 4648, 4662, 4688, 4720, 4740, 4769, 7045), and forward the WEC's Forwarded Events log to your SIEM via Winlogbeat, NXLog, or Azure Monitor Agent. One WEC server handles 2,000-5,000 endpoints; scale with additional WECs for larger environments.
Frequently asked questions
What is Windows Event Forwarding (WEF)?
WEF is a native Windows capability that uses WinRM to forward selected event log entries from domain-joined machines to a central Windows Event Collector (WEC) server: without installing any agent software. It is configured entirely through Group Policy. Security teams use it to centralize Windows Security events (logons, process creation, account changes) from all endpoints to a single collection point for SIEM ingestion.
How do you configure Windows Event Forwarding?
Three steps: on the WEC server run 'wecutil qc' to enable the collector service and expand the Forwarded Events log size; apply a GPO to all domain machines enabling WinRM and pointing to the WEC server URL; create a SourceInitiated subscription on the WEC server with XPath filters for the event IDs you want to collect. Source machines then push matching events to the WEC automatically.
What events should Windows Event Forwarding collect?
A minimal high-value WEF subscription should collect: Security log events 4624/4625/4648 (authentication), 4688 with command-line (process creation), 4698/4702 (scheduled task creation/modification), 4719 (audit policy change), 4720/4726 (account creation/deletion), 4728/4732/4756 (group membership changes to privileged groups), and 7045 (service installation). Also collect Sysmon events from the Operational log (Event IDs 1, 3, 7, 10, 11) if Sysmon is deployed. Use NSA's WEF and WEC guidance (available on NSA GitHub) as a baseline subscription: it covers most detection use cases without overwhelming the WEC with low-value events.
What is the difference between Windows Event Forwarding and a SIEM agent?
WEF uses native Windows technology (WinRM and Windows Remote Management) to push events to a Windows Event Collector (WEC) server. It requires no additional software on endpoints, is built into all modern Windows versions, and generates low overhead. The WEC then forwards to your SIEM via a log shipper (Winlogbeat, NXLog, or a SIEM agent on the WEC server). A SIEM agent installed directly on each endpoint (Splunk UF, Elastic Agent, CrowdStrike Falcon LogScale) provides richer telemetry, real-time forwarding, and direct configuration from the SIEM console but requires agent deployment and management on every endpoint. WEF is the right choice for environments where agent deployment is not feasible or overhead is a concern; SIEM agents are better for environments requiring real-time streaming and richer host telemetry.
How do I scale Windows Event Forwarding across thousands of endpoints?
WEF architecture for large environments: deploy multiple WEC servers in a tiered architecture (one WEC per 2,000-4,000 endpoints is a common guideline), use DNS round-robin or a load balancer to distribute endpoint connections across WEC servers, and configure each WEC to forward to your SIEM in parallel. Increase the WEC server's Forwarded Events log size to at least 4GB to handle event bursts. Monitor WEC subscription health with the Eventviewer on the WEC: unhealthy subscriptions show a red X under Subscriptions. For very large environments (50,000+ endpoints), a dedicated Windows Event Forwarding architecture team and tooling (Microsoft Event Subscription tooling or third-party WEF management) may be needed.
How do I troubleshoot WEF subscriptions where source machines are not forwarding events?
Start on the source machine: run 'wecutil gs *' to list subscriptions the machine has enrolled in -- if empty, the GPO has not applied yet or WinRM is not running. Run 'winrm quickconfig' and 'gpupdate /force', then recheck. On the WEC server, run 'wecutil gr <SubscriptionName>' to see the runtime status including a per-source list of active sources, last heartbeat time, and any error codes. Error 0x138C means the source cannot reach the WEC server on port 5985 (check firewall rules). Error 0x2 means the WEC service account (Network Service) lacks permission to read the Security log on the source -- add Network Service to the Event Log Readers local group via the GPO's Restricted Groups setting. If the Forwarded Events log on the WEC is filling up and events are being dropped, increase the log size with 'wevtutil sl ForwardedEvents /ms:<bytes>' and verify the log is set to retain (not overwrite).
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
