Getting Started

Wirespeed supports ingesting Windows logs & telemetry using a free, agentless architecture, which uses the following architectural components:
  1. WEF (Windows Event Forwarding) on endpoints with logs you want
  2. WEC (Windows Event Collector) on a single server
  3. Winlogbeat: to read WEC logs (e.g., from the ForwardedEvents log) and send them to Logstash.
  4. Logstash: to forward logs from Winlogbeat to Wirespeed over https.
WEF (many hosts) pushes logs → WEC (a single server) gathers and forwards logs → Logstash → Wirespeed
For more information about WEF/WEC, read this Microsoft article.

WEF (Windows Event Forwarding)

WEF is Microsoft’s native (no agent required) method for collecting Windows logs and telemetry to send to a centralized location. Typically this is from on-premises or private cloud Windows servers, but this could include high value Windows endpoints as well. We call these systems source systems in the context of this documentation.

WEC (Windows Event Collection)

WEC is Microsoft’s native (no agent required) method for centrally collecting logs from source systems. In a simple architecture, there will be a single WEC Server within an on-premises or private cloud environment that will serve as the WEC Server. This should not be a Domain Controller (those are WEF source systems instead).

Winlogbeat

Winlogbeat is one of many Beats Elastic provides for shipping data. Winlogbeat ships Windows event logs to Elasticsearch or Logstash and can be installed as a Windows service.

Logstash

Logstash is an open source server-side data processing pipeline that can ingest data from a multitude of sources, transforms it, and then sends it to a “stash.”

Configure Windows Event Forwarder

There are several options for deploying WEF + WEC. Our recommendation uses Group Policy to instruct Windows hosts to push telemetry to the WEC server, rather than pull. You’re welcome to use the pull method, but that’s not in this documentation.
  1. Open Group Policy Management
    1. On a domain controller or admin workstation, run gpmc.msc.
  2. Create a new GPO (Group Policy Object)
    1. Right-click the OU where your servers reside (e.g., Servers OU) → Create a GPO in this domain, and Link it here.
    2. Name: Windows Event Forwarding.
    3. Right-click the GPO > Edit.
  3. Enable WinRM Service (Without Remote Management)
    1. Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
      1. Set Windows Remote Management (WS-Management) to Automatic.
      2. **[OPTIONAL] **Wirespeed recommends you block incoming WinRM network traffic on any Windows endpoints where it is not needed, as this enables an avenue for lateral movement by attackers. That said, the WEC Server must have this enabled, so if you do make this change, separate your WEC server into a different OU where this Group Policy setting does not affect it.
        1. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
        2. Set to Disabled
  4. Define the WEC Server Address
    1. Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding.
    2. Enable the setting and put the following into the Option field: Server=http://WEC-Server01.domain.local:5985/wsman/SubscriptionManager/WEC,Refresh=60
    3. Replace WEC-Server01.domain.local with your WEC server’s FQDN. Port 5985 is the standard for WinRM over HTTP. Port 5986 is standard for WinRM over HTTPS, but this requires a proper internally-deployed TLS Certificate Authority in your Active Directory environment so that all endpoints can trust the HTTPS certificates. Without a proper PKI, leave this as 5985 over HTTP.
  5. Enable PowerShell Logging and Transcription
    1. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
    2. Enable Turn on PowerShell Script Block Logging
      1. Check Log script block invocation start/stop events (4105/4106)
    3. Enable Turn on Module Logging
      1. Set Module Names to *
    4. Enable Turn on PowerShell Transcription
      1. Transcription Output Directory: Leave blank (defaults to %UserProfile%\Documents\PowerShell_transcripts)
      2. Check Include invocation headers.
    5. Enable Turn on PowerShell Remoting Transcription (if available)
      1. Transcription Output Directory: Leave blank (defaults to %UserProfile%\Documents\PowerShell_transcripts)
      2. Check Include invocation headers.
  6. Enable Command Line Logging
    1. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation
    2. Enable “Include command line in process creation events”
      1. This populates the CommandLine field in Security Event ID 4688 for all process creations
  7. Define Minimum Logging
    1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking
      1. Enable Audit Process Creation
        1. Set to Success (Event ID 4688 for PowerShell invocation)
    2. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon
      1. Enable Audit Kerberos Authentication Service
        1. Set to Success and Failure (Event IDs 4768, 4771)
      2. Enable Audit Kerberos Service Ticket Operations
        1. Set to Success and Failure (Event ID 4769)
      3. Enable Audit Other Account Logon Events
        1. Set to Success and Failure (Event ID 4776)
    3. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff
      1. Enable Audit Logoff
        1. Set to Success (Event ID 4634 for session termination)
      2. Enable Audit Other Logon/Logoff Events
        1. Set to Success and Failure (Event IDs 4648, 4778, 4779, 4800, 4801)
    4. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
      1. Audit Logon: Enable Success and Failure to cover local, interactive, and remote logon types (e.g., RDP, network).
      2. Audit Account Lockout: Enable Success and Failure
      3. Audit Special Logon: Enable Success (privileged logons, e.g., admin rights)
      4. Audit User Account Management: Enable Success and Failure (user creation, changes)
      5. Audit Security Group Management: Enable Success and Failure (group creation, changes)
      6. Audit Audit Policy Change: Enable Success and Failure (audit policy modifications)
      7. Audit Security System Extension: Enable Success and Failure (log settings changes)
      8. Privilege Use: [Recommendation] Disabled or Failure only (Event IDs 4673, 4674)
      9. Process Creation: [Recommendation] Enabled Success (Step 6, Event ID 4688)
      10. **File and Registry Access (Object Access): [**Recommendation] Disabled or Failure only (Event IDs 4656, 4663)
        1. [Optional] If needed, enable selectively via SACLs on specific objects (out of scope)
  8. Enable Task Scheduler Logging
    1. Computer Configuration > Policies > Administrative Templates > Windows Components > Task Scheduler
    2. Enable “Turn On logging for task registration”
      1. This generates events for scheduled task creation, modification, and execution (Event IDs 106, 200, 201)

Configure Windows Event Collector

  1. Identify a server (should match the server identified and set in group policy above), which must run a supported Windows Server release (Server 2016 or newer).
    If you follow our recommendations above to disable WinRM incoming traffic on the monitored Windows hosts, make sure that setting does NOT apply to the WEC server, or WEC will not work.
  2. Download WEC-Setup.ps1 from Wirespeed’s Github: https://github.com/WirespeedSecurity/utils/
  3. Create the directory C:/Program Files/Wirespeed and move the script there. Open a powershell terminal running as an administrator in this directory and execute the script with ./WEC-Setup.ps1. This script will:
    1. Enable and configure the Windows Remote Management (WinRM) service: a dependency for WEC.
    2. Set the Windows Event Collector service (wecsvc) to start automatically and start it immediately using wecutil qc.
    3. Add the NT AUTHORITY\Network Service account to the local Event Log Readers group to ensure the proper permissions for event collection.
    4. Create firewall rules to allow inbound traffic on ports 5985 (WinRM over HTTP) and 5986 (WinRM over HTTPS) for WEF communication.
    5. Configure the WEC server to forward its own Windows events to itself (localhost) via HTTP on port 5985, enabling self-monitoring by setting the registry key HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager.
    6. Create a source-initiated WEC subscription named “Security and PowerShell Events” to collect events from the Security, Microsoft-Windows-PowerShell/Operational, Windows PowerShell, System, and Application logs, using HTTP and storing events in the ForwardedEvents log.
  4. To validate the configuration:
    1. Check the ForwardedEvents log in Event Viewer (eventvwr.msc) on the WEC server to confirm that events from source systems (and the WEC server itself) are being collected.
    2. Review the setup log at C:\Program Files\Wirespeed\collector.log for any errors or confirmation of successful configuration steps.
    3. Generate a test event on a source system (e.g., eventcreate /Id 500 /D "Test event" /T ERROR /L System) and verify it appears in the WEC server’s ForwardedEvents log.
      All of the script’s actions and errors are recorded in a log file at C:\Program Files\Wirespeed\collector.log for any additional validation or debugging required.

Configure Log Forwarding

For more information, reference the official documentation for Winlogbeat and Logstash.

Installing and Configuring Winlogbeat

Installation is based on Elastic’s official Winlogbeat installation guide.
  1. Download and install Winlogbeat
    1. Download the zip file from the downloads page
    2. Extract the contents into C:\Program Files
    3. Rename the winlogbeat-<version> directory to Winlogbeat
    4. Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator)
    5. From the PowerShell prompt, run the following commands to install the service
      1. cd 'C:\Program Files\Winlogbeat'
      2. .\install-service-winlogbeat.ps1
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.
  1. Configure Winlogbeat
    1. In winlogbeat.yml, replace the existing contents with the configurations below:
    winlogbeat.event_logs:
  - name: Security
    ignore_older: 72h
  - name: System
    ignore_older: 72h
  - name: Application
    ignore_older: 72h
  - name: Microsoft-Windows-PowerShell/Operational
    ignore_older: 72h
  - name: ForwardedEvents
    ignore_older: 72h
output.logstash:
  hosts: ["localhost:5044"]
  ssl.enabled: false
  codec.json:
    pretty: false
This is a very basic configuration. It’s recommended to learn more about Winlogbeat configuration options and tailor the above to meet your specific needs. Please see Elastic’s official documentation for all available configuration options.

Installing and Configuring Logstash

Logstash requires one of the following:
  • Java 17
  • Java 21
  1. Download and install Logstash
    1. Download the zip file from the downloads page
    2. Extract the contents into C:\Program Files
    3. Rename the logstash-<version> directory to Logstash
    4. Navigate to the C:\Program Files\Logstash\config\ directory
  2. Configure Logstash
    1. Obtain a domain name from a Wirespeed engineer using the in-platform chat, or by emailing support@wirespeed.co
    2. Edit logstash.conf to gather events from Winlogbeat to ship to Wirespeed:
      1. Replace the contents of the existing logstash.conf with the contents below (or create if none exists): 
        input { 
  beats { 
    port => 5044 
    ssl_enabled => false
  } 
}
filter { 
  # Fix the field reference - use winlog.event_id for Windows events
  if [winlog][event_id] { 
    mutate { 
      add_field => { "event_id" => "%{[winlog][event_id]}" } 
    } 
  }
  # Alternative field paths depending on your beat version
  if [event][code] { 
    mutate { 
      add_field => { "event_id" => "%{[event][code]}" } 
    } 
  }
}
output {
  http {
    url => "https://<WIRESPEED_DOMAIN_NAME>:42124"
    http_method => "post"
    ssl => true
    ssl_verification_mode => "none"
    format => "json"
  }
}
      2. Replace <WIRESPEED_DOMAIN_NAME> with the domain provided by the Wirespeed engineer
    3. Edit logstash.yml to recognize the new configuration by default
      1. Append the following lines to the file, then save it and close: 
        config.reload.automatic: true  # Automatically reload config if logstash.conf changes
path.config: "C:\\Program Files\\Logstash\\config\\logstash.conf"  # Sets the default config file
        This is a very basic configuration. It’s recommended to learn more about Logstash configuration options and tailor the above to meet your specific needs. Please see Elastic’s official documentation for all available configuration options.
    4. Install Logstash as a Service
      It’s recommended to run logstash manually to ensure the configuration is valid prior to running as a service. See more information here: Running Logstash Manually
      Recommended: Read more about this setup here: Running Logstash as a service with NSSM
      1. Download and install NSSM
        1. https://nssm.cc/download and extract nssm.exe from nssm-<version.number>\win64\nssm.exe to Logstash\bin\
      2. Use NSSM to create Logstash service
        1. Open a PowerShell terminal as an administrator and run the following command to install Logstash as a service:
          1. cd "C:\Program Files\Logstash\bin"
          2. .\nssm.exe install logstash
        2. Once the NSSM service installer window appears, specify the following parameters in the Application tab:
          1. Path: C:\Program Files\Logstash\bin\logstash.bat
          2. Startup Directory: C:\Program Files\Logstash\bin
        3. Click Install Service and then Ok
    5. Start Logstash and WinLogbeat:
      1. Start-Service logstash
      2. Start-Service winlogbeat
      3. Verify the services are running with
        1. Get-Service Logstash
        2. Get-Service winlogbeat
    6. Contact a Wirespeed engineer via in-platform chat or by emailing support@wirespeed.co to ensure logs are flowing as expected