PRACTITIONER GUIDE
Practitioner Guide11 min read

Windows Event Log Forwarding (WEF): GPO Configuration, Collector Setup, and SIEM Integration

Source-initiated
recommended WEF subscription mode for large domain environments; endpoints discover the collector via GPO and push logs to it, scaling to thousands of endpoints without the collector maintaining connections to each one
wecutil qc
Windows command that configures the Windows Event Collector service with the correct WinRM settings and firewall rules in a single step; must be run before any WEF subscriptions will receive events
ForwardedEvents
default Windows event log channel on the collector server where all forwarded events from endpoints accumulate before being picked up by the SIEM forwarder; default maximum size should be increased to 4GB+ on production collectors
XPath
query language used in WEF subscription XML to filter which events are forwarded; select specific Event IDs and log channels so only security-relevant events are forwarded rather than the entire event log stream

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Built a WEF infrastructure for a 2,000-endpoint environment in two days: one Windows Server for the collector, one GPO change to configure Subscription Manager URLs, one subscription XML covering Sysmon and the key Windows Security Event IDs, and one Splunk Universal Forwarder on the collector forwarding to the existing Splunk deployment. Within 48 hours, Sysmon events from all 2,000 endpoints were visible in Splunk, the process lineage and network connection detections that had been planned for months were finally operational, and the security team had Windows endpoint telemetry that previously required per-endpoint Splunk agent deployment that had been blocked by change management for over a year.

WEF's underappreciated advantage is that it bypasses the agent deployment conversation entirely. The GPO change requires no software installation on endpoints, generates no additional system tray icons, consumes no endpoint memory or CPU outside the WinRM service that is already running on domain-joined systems, and requires no antivirus exceptions. In organizations where endpoint agent deployment requires a 6-month change management process, WEF via GPO is deployable in a change window that takes minutes.

Subscription design: choosing event IDs that provide detection value without volume explosion

The subscription XML determines the event volume that flows from thousands of endpoints to the collector. Getting this wrong in either direction has operational consequences: too narrow a subscription misses critical security events; too broad a subscription overwhelms the collector's disk I/O and SIEM ingest budgets with events that have no detection value. The NSA's Event Forwarding Guidance repository on GitHub provides a well-calibrated starting subscription that covers the detection-relevant event IDs without forwarding the entire event log.

Use the NSA/Palantir community subscription configurations as starting points rather than building from scratch

The NSA Cybersecurity Event Forwarding Guidance (github.com/nsacyber/Event-Forwarding-Guidance) and the Palantir Windows Event Forwarding repository (github.com/palantir/windows-event-forwarding) both provide battle-tested subscription XML files that cover the security-relevant Windows event IDs without the volume explosion of forwarding all events. The Palantir configuration in particular is organized into severity tiers (Critical, Warn, Info) that allow you to start with the Critical subscription and add tiers as the infrastructure scales. Deploy the NSA or Palantir Critical-tier subscription as the baseline and verify the event volume per endpoint per day is within the collector's capacity before adding the Warn-tier events. A Critical-tier subscription collecting Sysmon + key Security events generates approximately 5,000-10,000 events per endpoint per day; adding all Warn-tier events can increase this to 20,000-50,000 events per endpoint per day — a significant capacity difference that affects collector sizing and SIEM ingest costs.

Add XPath suppress conditions for high-volume benign events to reduce noise before it reaches the collector

Include XPath Suppress elements in the subscription XML to filter out known-benign high-volume events at the source endpoint before they are forwarded, reducing network and collector load without changing the subscription's security coverage. A Suppress element for Sysmon Event ID 3 NetworkConnect events from known-good browsers (chrome.exe, firefox.exe, msedge.exe) removes the majority of legitimate network connection events that have no detection value while keeping network connections from unexpected processes: <Suppress Path='Microsoft-Windows-Sysmon/Operational'>*[System[EventID=3] and EventData[Data[@Name='Image'] and (Data='C:\Program Files\Google\Chrome\Application\chrome.exe')]]</Suppress>. Add suppress conditions for the Windows Security log Event ID 4634 (logoff) which generates extremely high volume on busy servers with minimal security value. Implement suppressions incrementally rather than all at once, verifying after each addition that the intended events are still being collected by running test events and checking the ForwardedEvents log on the collector.

Collector operations: sizing, health monitoring, and multi-collector scaling

The WEC server is the single point of aggregation for all endpoint event logs, making its health and performance directly correlated with the security team's log visibility. A WEC server that falls behind on event processing or runs out of disk space causes event forwarding to queue on endpoints and eventually drop events that cannot be replayed. Monitoring the collector's processing rate and disk utilization proactively prevents the silent event loss that can leave security teams with blind spots they are not aware of.

Monitor the WEC server's event processing lag by comparing the most recent event timestamp with the current time

Create a monitoring script that queries the ForwardedEvents log for the most recent event timestamp and compares it to the current time: if the most recent event is more than 10 minutes old during business hours, the collector may be falling behind or endpoints may have stopped forwarding. Run the check with Get-WinEvent -LogName ForwardedEvents -MaxEvents 1 | Select-Object TimeCreated and alert via monitoring if the difference exceeds 15 minutes. Also monitor the wecutil get-subscriptionruntime output for endpoints with Last Heartbeat older than 30 minutes — these endpoints have lost connectivity to the collector and their events are queuing locally. Forward the collector's Event ID 100 (subscription created) and Event ID 101 (subscription error) events to the SIEM as operational monitoring signals for the WEF infrastructure itself, separate from the security event stream.

Configure the ForwardedEvents log for sequential circular mode with 4GB capacity to handle burst event volumes

Configure the ForwardedEvents log on the WEC server to use circular retention mode with a 4GB maximum size rather than the default 20MB to provide buffer capacity when the SIEM forwarder falls behind or is temporarily unavailable. Run wevtutil sl ForwardedEvents /ms:4294967296 /rt:false on the collector — the /ms parameter sets the maximum size in bytes (4294967296 = 4GB) and /rt:false sets circular retention mode where the oldest events are overwritten when the log fills. This 4GB buffer holds approximately 2-4 hours of event volume from a 1,000-endpoint deployment, providing enough buffer to restart the SIEM forwarder after maintenance or troubleshoot connectivity without losing event continuity. Monitor the ForwardedEvents log current size with Get-WinEvent -ListLog ForwardedEvents | Select-Object FileSize,MaximumSizeInBytes and alert when FileSize exceeds 80% of MaximumSizeInBytes to detect when the buffer is approaching its limit.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The bottom line

Windows Event Log Forwarding is the fastest path to centralized Windows security log collection in Active Directory environments because it requires no endpoint agent installation, no vendor dependency, and no endpoint change management — just one GPO change and one WEC server setup. Deploy source-initiated subscriptions configured via GPO pointing to the WEC server. Use the NSA or Palantir community subscription XML as the baseline event selection rather than building from scratch. Add XPath Suppress conditions for high-volume benign events at the source to manage collector load. Increase the ForwardedEvents log to 4GB circular retention for buffer capacity. Forward from the WEC to the SIEM via Splunk Universal Forwarder, Elastic Agent, or Azure Monitor Agent, ensuring source Computer metadata is preserved in SIEM parsing. Monitor the WEC's event processing lag and endpoint heartbeat status to detect collection gaps before they become security visibility blind spots.

Frequently asked questions

How do I set up the Windows Event Collector server for WEF?

Set up the Windows Event Collector server by running two commands on the designated collector Windows Server: wecutil qc /q configures the WEC service and WinRM firewall rules, and winrm quickconfig /q configures the WinRM listener. Run both commands as a local administrator. After running wecutil qc, verify the Windows Event Collector service is running with sc query wecsvc which should show STATE: 4 RUNNING. Increase the ForwardedEvents log maximum size from the default 20MB to 4GB to handle event volume from a large endpoint fleet: wevtutil sl ForwardedEvents /ms:4294967296. Size the collector server with sufficient disk for the event retention period — at 1,000 endpoints forwarding 5,000 events per day, a 30-day retention window requires approximately 300GB of storage for compressed event data. Create a WEF-specific service account in Active Directory and add it to the Event Log Readers group on all source endpoints via GPO, so the WEC service can authenticate to endpoints for collector-initiated subscriptions (not needed for source-initiated subscriptions where endpoints push to the collector).

How do I configure source-initiated WEF subscriptions via Group Policy?

Configure source-initiated WEF subscriptions by creating a WEF subscription on the collector and pointing endpoints to the collector via GPO. Create the subscription XML file on the collector defining what events to collect: the subscription XML specifies the SubscriptionType as SourceInitiated, the ContentFormat as RenderedText or Events, and a Query element containing XPath expressions for each event log channel. Create the subscription with wecutil cs subscription.xml and verify it was created with wecutil enum-subscription. Configure endpoints to forward to this collector via GPO: Computer Configuration > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager > Enabled, with the Subscription Manager value set to Server=http://collector.domain.com:5985/wsman/SubscriptionManager/WEC,Refresh=60 where Refresh=60 means endpoints check for new subscriptions every 60 seconds. Also enable Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Client > Allow remote server management through WinRM on all endpoints. After the GPO applies (run gpupdate /force on a test endpoint to verify immediately), events should start appearing in the ForwardedEvents log on the collector within 5 minutes.

How do I write a WEF subscription XML to collect Sysmon and Windows Security events?

Write a WEF subscription XML that collects Sysmon events and specific Windows Security Event IDs relevant to threat detection. The subscription XML structure uses a QueryList containing Query elements with Select child elements that specify XPath expressions: <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select> collects all Sysmon events. For Windows Security log, select specific Event IDs rather than all events to manage volume: <Select Path='Security'>*[System[(EventID=4624 or EventID=4625 or EventID=4648 or EventID=4688 or EventID=4698 or EventID=4720 or EventID=4732 or EventID=4756 or EventID=4768 or EventID=4769)]]</Select> collects the most detection-relevant security events without forwarding the entire high-volume Security log. Add the PowerShell/Operational channel for script block logging: <Select Path='Microsoft-Windows-PowerShell/Operational'>*[System[(EventID=4104 or EventID=4103)]]</Select>. Keep the subscription XML focused on detection-relevant events — forwarding all event IDs from the Security channel generates 50,000+ events per endpoint per day, which overwhelms the collector and SIEM ingest budgets without proportional detection value.

How do I troubleshoot WEF endpoints that are not forwarding events?

Troubleshoot WEF endpoints not forwarding events by working through the connectivity stack from endpoint to collector. Check that the endpoint received the GPO by running gpresult /r on the endpoint and verifying the Event Forwarding GPO is listed in Applied GPOs. Check that the WinRM service is running on the endpoint with sc query winrm. Verify the endpoint can reach the collector on port 5985 with Test-NetConnection -ComputerName collector.domain.com -Port 5985. On the collector, check the subscription runtime status with wecutil get-subscriptionruntime subscription-name which shows each endpoint's last heartbeat time, last error code, and last error message — endpoints showing error code 5 (access denied) indicate the WEC service account lacks read permission on the endpoint's event logs. Check the Event Forwarding plugin operational log on the endpoint at Microsoft-Windows-EventCollector/Operational for error events from the local end of the connection. The most common failure modes in order: WinRM not enabled on the endpoint (fix with GPO or winrm quickconfig), firewall blocking port 5985 (add WinRM HTTP exception in the firewall GPO), and the Event Log Readers group membership not propagated to the endpoint (verify group membership on the endpoint with net localgroup 'Event Log Readers').

How do I forward WEF collected events from the collector to a SIEM?

Forward events from the WEC collector to a SIEM by deploying a SIEM forwarder agent on the collector server that reads from the ForwardedEvents log and forwards to the SIEM. For Splunk, install the Splunk Universal Forwarder on the collector and configure a Windows Event Log input monitoring the ForwardedEvents channel: in inputs.conf, add [WinEventLog://ForwardedEvents] disabled=0 start_from=oldest evt_resolve_ad_obj=1. For Elastic, install Elastic Agent on the collector and configure the Windows integration with the ForwardedEvents channel. For Microsoft Sentinel, the Azure Monitor Agent on the collector server with a Data Collection Rule targeting ForwardedEvents forwards events to the Log Analytics Workspace. Regardless of the SIEM forwarder used, the critical configuration is to preserve the original event metadata: the computer name in forwarded events is the collector's hostname, but the actual source endpoint hostname is in the event's Computer XML element — ensure the SIEM parsing extracts the source Computer field from the XML rather than using the forwarding host as the source. This is the most common WEF-to-SIEM integration error that causes all Sysmon events to appear to originate from the collector server.

How do I scale the WEC infrastructure for a large enterprise endpoint fleet?

Scale WEF infrastructure for large endpoint fleets by distributing endpoints across multiple WEC servers rather than concentrating all endpoints on one collector. A single WEC server can handle approximately 3,000-5,000 endpoints forwarding standard security event subscriptions before CPU and disk I/O become constraints — this threshold is lower for subscriptions with very high event rates (Sysmon on developer workstations) and higher for subscriptions with selective Event ID filters on standard workstations. Deploy multiple WEC servers and use Active Directory site-based GPO targeting to assign endpoints to the geographically nearest collector: site-linked GPOs configure each endpoint's Subscription Manager URL to point to the WEC server in the same AD site, reducing WAN bandwidth consumption from cross-site event forwarding. All WEC servers forward to the same SIEM, and the SIEM's index or workspace provides the unified view across all collectors. Monitor WEC server health with the WecUtil get-subscription command's runtime status output and set up performance counter alerts on Event Processing Rate and Delivery Failure Rate counters in the Event Collector performance object.

Should I use WEF or SIEM agent on endpoints for Windows log collection?

Use WEF when the goal is centralized Windows log collection without adding a new agent dependency to each endpoint, and use SIEM agents when you need additional capabilities beyond event log forwarding (file integrity monitoring, network flow data, custom log file collection, endpoint telemetry). WEF's advantages: no additional agent to install, patch, or troubleshoot on endpoints; uses the same WinRM authentication already trusted by the domain; native Windows functionality with Microsoft support; and the collector architecture naturally scales by adding more WEC servers. SIEM agent advantages: typically lower latency between event generation and SIEM ingestion; support for non-Windows log sources on the same endpoint; custom log file ingestion for application logs; and richer endpoint telemetry collection. In most organizations, the right answer is both: WEF for the core Windows Security and Sysmon event collection across the entire domain (including endpoints that a SIEM agent rollout has not yet reached), and SIEM agents on the servers and high-value endpoints where additional telemetry is needed. WEF provides the baseline security log coverage that can be deployed via GPO in a day; SIEM agents provide the additional telemetry depth that justifies the additional agent management overhead.

Sources & references

  1. Windows Event Forwarding Documentation
  2. NSA Event Forwarding Guidance
  3. Palantir WEF Configuration
  4. WEF Subscription XML Reference

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.