Zero cost
WEF and WEC are built into Windows. The only cost is the Windows Server license for the collector and the storage for the forwarded logs. There are no agent licenses, no SIEM ingestion fees, and no additional software to purchase
Source-initiated
is the correct WEF subscription mode for domain-joined machines. Sources contact the collector via GPO-configured subscription URL. This scales to thousands of sources without the collector needing outbound connections or credential access to each endpoint
Event ID 4624, 4625, 4648, 4768, 4769, 4776
are the minimum authentication event IDs every WEF deployment should collect. These six IDs cover successful and failed logins, explicit credential use, Kerberos ticket requests, and NTLM authentication -- the foundation of lateral movement detection
~500 MB/day
per 100 endpoints is a typical WEF ingestion rate for the NSA recommended baseline event set. Scale storage planning accordingly: 1,000 endpoints generates roughly 5 GB/day, or 150 GB/month before compression

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The most common reason organizations lack visibility into lateral movement is not a missing SIEM -- it is that Windows security events stay on the local endpoint where they are overwritten within 24-72 hours. Windows Event Forwarding solves this for free. Events are pushed from every domain endpoint to a central Windows Event Collector server in near real-time. You can then query, alert on, or forward to a SIEM from one place. This guide walks through the complete setup in order.

Set Up the Windows Event Collector Server

Any Windows Server 2012 R2 or later can serve as the WEC. The WEC does not need to be a domain controller. Size it for the event volume: ~500 MB per 100 endpoints per day for the baseline event set.

Step 1: Enable the Windows Event Collector service

# Run on the WEC server as admin
wecutil qc /q
# Outputs: The service is already configured for event collection.
# If not, it prompts to configure -- answer 'Y'

Step 2: Configure the WinRM listener

winrm quickconfig
# Or via GPO: Computer Configuration > Administrative Templates >
# Windows Components > Windows Remote Management (WinRM) > WinRM Service
# Allow automatic configuration of listeners: *(IPv4) *(IPv6)

Step 3: Grant the Network Service account permission to read the Security log on source machines

This is done via Group Policy on the source machines, not on the WEC: Computer Configuration > Windows Settings > Security Settings > Restricted Groups Add: NT AUTHORITY\NETWORK SERVICE to the Event Log Readers local group

Or via GPO Preferences > Local Users and Groups > Modify the Event Log Readers group to include NETWORK SERVICE.

Create the WEF Subscription

A WEF subscription defines which events are collected and from which sources. Use source-initiated subscriptions for scalable domain deployments.

Create a subscription via wecutil (command line):

Create an XML subscription file security-baseline.xml:

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>Security-Baseline</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>NSA baseline security events</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <ConfigurationMode>Custom</ConfigurationMode>
  <Delivery Mode="Push">
    <Batching>
      <MaxItems>20</MaxItems>
      <MaxLatencyTime>900000</MaxLatencyTime>
    </Batching>
    <PushSettings>
      <Heartbeat Interval="900000"/>
    </PushSettings>
  </Delivery>
  <Query>
    <![CDATA[
    <QueryList>
      <Query Id="0">
        <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4648 or EventID=4672 or EventID=4673 or EventID=4674 or EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4728 or EventID=4732 or EventID=4735 or EventID=4740 or EventID=4756 or EventID=4768 or EventID=4769 or EventID=4771 or EventID=4776)]]</Select>
        <Select Path="System">*[System[(EventID=7045 or EventID=7036)]]</Select>
        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
        <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventID=4104)]]</Select>
        <Select Path="Microsoft-Windows-WMI-Activity/Operational">*[System[(EventID=5857 or EventID=5858 or EventID=5860 or EventID=5861)]]</Select>
      </Query>
    </QueryList>
    ]]>
  </Query>
  <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
</Subscription>

Install the subscription:

wecutil cs security-baseline.xml
# Verify
wecutil gs Security-Baseline
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configure Source Machines via Group Policy

Source machines need to know the WEC server address and to forward events. Configure via GPO:

GPO: Windows Event Forwarding source configuration Apply to: All domain computers (or a specific OU)

Path: Computer Configuration > Administrative Templates > Windows Components > Event Forwarding

  • Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager: Enabled
    • SubscriptionManager value: Server=http://wec-server.domain.com:5985/wsman/SubscriptionManager/WEC,Refresh=60
    • Use port 5985 for HTTP (domain-joined, Kerberos auth) or 5986 for HTTPS

Path: Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client

  • Allow unencrypted traffic: Disabled (use Kerberos auth)
  • Allow Basic authentication: Disabled

Verify sources are checking in:

# On the WEC server
wecutil es
# Lists all source computers currently enrolled in each subscription

Check the ForwardedEvents log on the WEC:

Get-WinEvent -LogName ForwardedEvents -MaxEvents 20 | Format-List TimeCreated, MachineName, Id, Message

NSA Recommended Event IDs for the Security Baseline

The following event IDs should be in every WEF subscription. They cover the most valuable detection use cases without generating unmanageable volume.

Authentication and credential use:

  • 4624: Successful logon (filter to Logon Types 3, 10 for network/remote)
  • 4625: Failed logon
  • 4648: Explicit credential logon (RunAs, network auth with different credentials)
  • 4672: Special privilege assigned to new logon (admin rights at logon)
  • 4771: Kerberos pre-authentication failed
  • 4776: NTLM authentication attempt

Account management:

  • 4720, 4722, 4725, 4726: Account created, enabled, disabled, deleted
  • 4728, 4732, 4756: Member added to security/admin group
  • 4740: Account locked out

Service and process events:

  • 7045: New service installed (System log)
  • 4697: New service installed in the security log
  • 4698, 4702: Scheduled task created or modified

PowerShell:

  • 4103, 4104: Module logging and script block logging

Sysmon (deploy Sysmon first for maximum value):

  • Event IDs 1, 3, 7, 8, 10, 11, 12, 13, 22: Process create, network, driver load, remote thread, process access, file create, registry, DNS

Full Palantir WEF subscription XML covering all these categories is available at github.com/palantir/windows-event-forwarding.

Forward from WEC to SIEM or Elastic/Splunk

The WEC server's ForwardedEvents log is the aggregation point. Forward it to your SIEM using a Splunk Universal Forwarder, Elastic Agent, or Winlogbeat.

Splunk Universal Forwarder on the WEC:

# inputs.conf
[WinEventLog://ForwardedEvents]
index = wef
start_from = oldest
current_only = 0
disabled = 0
renderXml = 1

Elastic/Winlogbeat on the WEC:

# winlogbeat.yml
winlogbeat.event_logs:
  - name: ForwardedEvents
    event_id: 4624, 4625, 4648, 4672, 4768, 4769, 4771, 4776, 7045, 4103, 4104
    ignore_older: 72h

Storage sizing for the WEC ForwardedEvents log: Increase the maximum log size well beyond the default 20 MB, as the ForwardedEvents log is the only copy of events from endpoints:

wevtutil sl ForwardedEvents /ms:10737418240
# Sets max size to 10 GB -- adjust based on your forwarding interval and SIEM pipeline reliability

The bottom line

WEF is the fastest way to get centralized Windows security logging without SIEM licensing costs. The deployment order: enable WEC on the collector server, create the subscription XML with your target event IDs, configure sources via GPO, verify with wecutil es, then forward the ForwardedEvents log to your SIEM or analysis platform. Sysmon deployed alongside WEF multiplies the value of the collected data for detection and investigation.

Frequently asked questions

How many endpoints can one WEC server handle?

A single WEC server on standard hardware (4 vCPUs, 16 GB RAM) handles approximately 2,000 to 4,000 source machines with the NSA baseline event set. For larger environments, deploy multiple WEC servers and split the source computer scope across subscriptions. At 10,000+ endpoints, consider a commercial log aggregation layer (Splunk Heavy Forwarder, Logstash) between the WEC and the SIEM to handle the ingestion rate. Monitor WEC server disk I/O and network throughput, not just CPU, as the ForwardedEvents log write rate is typically the bottleneck.

Is WEF encrypted in transit?

Yes, when configured correctly. Source-initiated WEF over port 5985 (HTTP transport) uses Kerberos authentication for domain-joined machines, which encrypts the authentication exchange but not the event data payload itself. For full encryption of event data in transit, use HTTPS on port 5986 with a certificate, or configure the WinRM listener to use HTTPS. In most domain-joined environments, Kerberos-authenticated WEF on 5985 is the practical standard. The events are not secret data, but if you require transport encryption, configure the WinRM HTTPS listener and update the SubscriptionManager URL to use https.

Do I need Sysmon for WEF to be useful?

No, but Sysmon dramatically increases the value of the collected data. Windows native event logs for process creation (Event ID 4688) require audit policy configuration and do not capture command-line arguments by default. Sysmon Event ID 1 captures full command-line arguments, parent process information, and a process hash by default. If you deploy WEF without Sysmon, you get authentication and service events which are high value for detection. Adding Sysmon gives you process execution, network connections, and file creation events which are critical for investigating alerts and doing threat hunting.

What is the difference between source-initiated and collector-initiated WEF subscriptions?

Source-initiated subscriptions have the source machines connect to the WEC server. They are configured on the sources via Group Policy and scale easily to thousands of machines -- the WEC just listens and accepts connections. Collector-initiated subscriptions have the WEC server actively connect to each source machine. This requires the WEC to have credentials and network access to every source, which is operationally difficult at scale. Use source-initiated subscriptions for domain environments.

How do I size the Windows Event Collector server for a large environment?

The WEC server CPU and memory requirements scale primarily with the event ingestion rate, not the machine count. For a 1,000-machine environment forwarding only security-critical event IDs (4624, 4625, 4648, 4688, 4698, 4719, 4768, 4769, 7045), expect 5,000-15,000 events per second during business hours. A 4-core server with 16 GB RAM handles up to approximately 10,000 events per second with default WEC configuration. For higher volumes, increase MaxConnections in the WEC registry and add RAM to the WEC server. Monitor the WEC server's incoming event queue depth via perfmon counter Microsoft-Windows-Eventlog-Forwarding-Plugin/Sessions. If the queue grows continuously, the WEC cannot keep up and needs more resources or a secondary WEC server.

What is the NSA Windows Event Logging guidance and which event IDs should I prioritize?

The NSA Cybersecurity Information Sheet 'Spotting the Adversary with Windows Event Log Monitoring' (and its companion technical report) provides a prioritized list of Windows Event IDs for security monitoring. The highest-priority event IDs covering the most common attack techniques: 4624/4625 (successful/failed logon with logon type), 4648 (logon with explicit credentials, used in pass-the-hash and runas scenarios), 4672 (special privileges assigned to new logon, catches admin and sensitive privilege use), 4688 (new process creation with command line, requires audit policy and command line process auditing enabled), 4698/4702 (scheduled task creation/modification, common persistence mechanism), 4719 (system audit policy change, attackers disable logging), 4768/4769/4771 (Kerberos ticket requests, supports Kerberoasting and Golden Ticket detection), 7045 (new service installed, common persistence and driver abuse mechanism), and Event IDs 1, 3, 11 from Sysmon (process creation, network connection, file creation) if Sysmon is deployed. WEF subscriptions should include all of these plus PowerShell logging event IDs (4103, 4104) for Script Block Logging output.

Sources & references

  1. Microsoft: Use Windows Event Forwarding to help with intrusion detection
  2. NSA: Spotting the Adversary with Windows Event Log Monitoring
  3. Palantir: Windows Event Forwarding Guidance

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.