Microsoft Windows Event Logs
Sending Microsoft Windows telemetry to Wirespeed
Getting Started
Wirespeed supports ingesting Windows logs & telemetry using the free (no additional license required), agentless (no third party agent required) architecture provided by Microsoft, which uses the following 3 architectural components:
- WEF (Windows Event Forwarding) on endpoints with logs you want
- WEC (Windows Event Collection) on a single server
- Wirespeed-Forwarder.ps1 on the WEC server
WEF (many hosts) push → WEC (a single server) push → Wirespeed
WEF (Windows Event Forwarding)
WEF is Microsoft’s native (no agent required) method for collecting Windows logs and telemetry to send to a centralized location. Typically this is from on-premises or private cloud Windows servers, but this could include high value Windows endpoints as well. We call these systems source systems in the context of this documentation.
WEC (Windows Event Collection)
WEC is Microsoft’s native (no agent required) method for centrally collecting logs from source systems. In a simple architecture, there will be a single WEC Server within an on-premises or private cloud environment that will serve as the WEC Server. This should not be a Domain Controller (those are WEF source systems instead).
Wirespeed Forwarder
In the Microsoft provided WEF/WEC architecture, you still need a mechanism to push the collected events to a data lake, such as Wirespeed’s. We provide an open source powershell script (Wirespeed-Forwarder.ps1
) to harvest the centrally collected events from your WEC server and send them to us.
Configuring Windows Source Systems to use WEF
There are several options for deploying WEF + WEC. Our recommendation uses Group Policy to instruct Windows hosts to push telemetry to the WEC server, rather than pull. You’re welcome to use the pull method, but that’s not in this documentation.
- Open Group Policy Management
- On a domain controller or admin workstation, run gpmc.msc.
- Create a new GPO (Group Policy Object)
- Right-click the OU where your servers reside (e.g.,
Servers OU
) → Create a GPO in this domain, and Link it here. - Name:
Windows Event Forwarding
. - Right-click the GPO > Edit.
- Right-click the OU where your servers reside (e.g.,
- Enable WinRM Service (Without Remote Management)
- Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
- Set Windows Remote Management (WS-Management) to Automatic.
- **[OPTIONAL] **Wirespeed recommends you block incoming WinRM network traffic on any Windows endpoints where it is not needed, as this enables an avenue for lateral movement by attackers. That said, the WEC Server must have this enabled, so if you do make this change, separate your WEC server into a different OU where this Group Policy setting does not affect it.
- Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
- Set to Disabled
- Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
- Define the WEC Server Address
- Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding.
- Enable the setting and put the following into the Option field:
Server=http://WEC-Server01.domain.local:5985/wsman/SubscriptionManager/WEC,Refresh=60
- Replace
WEC-Server01.domain.local
with your WEC server’s FQDN. Port5985
is the standard for WinRM over HTTP. Port5986
is standard for WinRM over HTTPS, but this requires a proper internally-deployed TLS Certificate Authority in your Active Directory environment so that all endpoints can trust the HTTPS certificates. Without a proper PKI, leave this as5985
over HTTP.
- Enable PowerShell Logging and Transcription
- Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
- Enable Turn on PowerShell Script Block Logging
- Check
Log script block invocation start/stop events
(4105/4106)
- Check
- Enable Turn on Module Logging
- Set
Module Names
to*
- Set
- Enable Turn on PowerShell Transcription
- Transcription Output Directory: Leave blank (defaults to
%UserProfile%\Documents\PowerShell_transcripts
) - Check Include invocation headers.
- Transcription Output Directory: Leave blank (defaults to
- Enable Turn on PowerShell Remoting Transcription (if available)
- Transcription Output Directory: Leave blank (defaults to
%UserProfile%\Documents\PowerShell_transcripts
) - Check Include invocation headers.
- Transcription Output Directory: Leave blank (defaults to
- Define Minimum Logging
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking
- Enable Audit Process Creation
- Set to Success (Event ID 4688 for PowerShell invocation)
- Enable Audit Process Creation
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff
- Enable Audit Logoff
- Set to Success (Event ID 4634 for session termination)
- Enable Audit Logoff
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
- Audit Logon: Enable Success and Failure to cover local, interactive, and remote logon types (e.g., RDP, network).
- Audit Account Lockout: Enable Success and Failure
- Audit Special Logon: Enable Success (privileged logons, e.g., admin rights)
- Audit User Account Management: Enable Success and Failure (user creation, changes)
- Audit Security Group Management: Enable Success and Failure (group creation, changes)
- Audit Audit Policy Change: Enable Success and Failure (audit policy modifications)
- Audit Security System Extension: Enable Success and Failure (log settings changes)
- Privilege Use: [Recommendation] Disabled or Failure only (Event IDs 4673, 4674)
- Process Creation: [Recommendation] Enabled Success (Step 6, Event ID 4688)
- **File and Registry Access (Object Access): [**Recommendation] Disabled or Failure only (Event IDs 4656, 4663)
- [Optional] If needed, enable selectively via SACLs on specific objects (out of scope)
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking
Configuring the WEC Server
- Identify a server (should match the server identified and set in group policy above), which must run a supported Windows Server release (Server 2016 or newer).
- NOTE: If you follow our recommendations above to disable WinRM incoming traffic on the monitored Windows hosts, make sure that setting does NOT apply to the WEC server, or WEC will not work.
- Download
Wirespeed-Forwarder.ps1
from Wirespeed’s Github: https://github.com/WirespeedSecurity/utils/ - Paste the following into an interactive powershell terminal running as an administrator on the WEC Server:
./Wirespeed-Forwarder.ps1 -install https://[wirespeed-url]
replacing[wirespeed-url]
with the URL we provide you. TheWirespeed-Forwarder.ps1
script will then:- Install a configured copy of the
Wirespeed-Forwarder.ps1
script into theC:\Program Files\Wirespeed
directory - Configure the WEC service to run correctly on this server, including enabling the
WinRm
dependency service, if not enabled, and opening theWinRM over HTTP
(5985) andWinRM over HTTPS
(5986) ports. See the note above the security concerns of enabling WinRM. - Configure your WEC server to use WEF to forward its own Windows events to itself so that the WEC server itself can be monitored
- Configure the WEC
subscription
to collect WindowsSystem
,Application
,Security
, andPowerShell
logs, so you don’t have to define it manually - Simulate local events (creation and deletion of a test user account) for debug and validation reasons
- Establish a Scheduled Task called
Wirespeed-Forwarder
that will run in theLOCAL SYSTEM
security context, executing theWirespeed-Forwarder.ps1
script on regular intervals.
- Install a configured copy of the
- To validate the configuration is working, navigate to
C:\Program Files\Wirespeed
and paste the following into an interactive powershell terminal running as an administrator on the WEC Server:./Wirespeed-Forwarder.ps1 -Debug
- This will simulate activity by creating and deleting a temporary user account locally on the WEC server.
- This will also invoke a benign powershell script to test powershell logging.
- If no events in the WEC Forwarded Events collection, you can optionally send the last 10 Security log events to test connectivity.
- Once installed, the Scheduled Task will run every minute to collect batches of new events and forward them to the URL provided.
- Note: The
Wirespeed-Forwarder.ps1
script will attempt to send errors it encounters to Wirespeed, but this is not foolproof. The script will also use a rotating flat file log of its actions and results inC:\Program Files\Wirespeed\wirespeed-forwarder.log
on the WEC server.
- Note: The