> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt
> Use this file to discover all available pages before exploring further.
# Microsoft Windows
> Centralizing and forwarding Microsoft Windows telemetry
## Getting Started
Wirespeed supports ingesting Windows logs & telemetry using a free, agentless architecture, which uses the following architectural components:
1. [WEF](#wef-windows-event-forwarding) (Windows Event Forwarding) on endpoints with logs you want
2. [WEC](#wec-windows-event-collection) (Windows Event Collector) on a single server
3. [Winlogbeat](#winlogbeat): to read WEC logs (e.g., from the `ForwardedEvents` log) and send them to Logstash.
4. [Logstash](#logstash): to forward logs from Winlogbeat to Wirespeed over https.
WEF (many hosts) pushes logs → WEC (a single server) gathers and forwards logs → Logstash → Wirespeed
For more information about WEF/WEC, [read this Microsoft article](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection).
### WEF (Windows Event Forwarding)
**WEF** is Microsoft's native (no agent required) method for collecting Windows logs and telemetry to send to a centralized location. Typically this is from on-premises or private cloud Windows servers, but this could include high value Windows endpoints as well. We call these systems **source systems** in the context of this documentation.
### WEC (Windows Event Collection)
**WEC** is Microsoft's native (no agent required) method for centrally collecting logs from source systems. In a simple architecture, there will be a single WEC Server within an on-premises or private cloud environment that will serve as the WEC Server. This should not be a Domain Controller (those are WEF source systems instead).
### Winlogbeat
**Winlogbeat** is one of many [Beats](https://www.elastic.co/beats) Elastic provides for shipping data. Winlogbeat ships Windows event logs to Elasticsearch or Logstash and can be installed as a Windows service.
### Logstash
Logstash is an open source server-side data processing pipeline that can ingest data from a multitude of sources, transforms it, and then sends it to a "stash."
## Configure Windows Event Forwarder
There are several options for deploying WEF + WEC. Our recommendation uses Group Policy to instruct Windows hosts to push telemetry to the WEC server, rather than pull. You're welcome to use the pull method, but that's not in this documentation.
1. Open Group Policy Management
1. On a domain controller or admin workstation, run gpmc.msc.
2. Create a new GPO (Group Policy Object)
1. Right-click the OU where your servers reside (e.g., `Servers OU`) → **Create a GPO in this domain**, and Link it here.
2. Name: `Windows Event Forwarding`.
3. Right-click the GPO > **Edit**.
3. Enable WinRM Service (Without Remote Management)
1. Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
1. Set Windows Remote Management (WS-Management) to **Automatic**.
2. \*\*\[OPTIONAL] \*\*Wirespeed recommends you block incoming WinRM network traffic on any Windows endpoints where it is not needed, as this enables an avenue for lateral movement by attackers. That said, the WEC Server must have this enabled, so if you do make this change, separate your WEC server into a different OU where this Group Policy setting does not affect it.
1. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
2. Set to **Disabled**
4. Define the WEC Server Address
1. Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding.
2. Enable the setting and put the following into the **Option** field: `Server=http://WEC-Server01.domain.local:5985/wsman/SubscriptionManager/WEC,Refresh=60`
3. Replace `WEC-Server01.domain.local` with your WEC server's FQDN. Port `5985` is the standard for WinRM over HTTP. Port `5986` is standard for WinRM over HTTPS, but this requires a proper internally-deployed TLS Certificate Authority in your Active Directory environment so that all endpoints can trust the HTTPS certificates. Without a proper PKI, leave this as `5985` over HTTP.
5. Enable PowerShell Logging and Transcription
1. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
2. Enable **Turn on PowerShell Script Block Logging**
1. Check `Log script block invocation start/stop events` (4105/4106)
3. Enable **Turn on Module Logging**
1. Set `Module Names` to `*`
4. Enable **Turn on PowerShell Transcription**
1. **Transcription Output Directory**: **Leave blank** (defaults to `%UserProfile%\Documents\PowerShell_transcripts`)
2. Check **Include invocation headers**.
5. Enable **Turn on PowerShell Remoting Transcription** (if available)
1. **Transcription Output Directory**: **Leave blank** (defaults to `%UserProfile%\Documents\PowerShell_transcripts`)
2. Check **Include invocation headers**.
6. **Enable Command Line Logging**
1. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation
2. Enable **"Include command line in process creation events"**
1. This populates the CommandLine field in Security Event ID 4688 for all process creations
7. Define Minimum Logging
1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking
1. Enable **Audit Process Creation**
1. Set to **Success** (Event ID 4688 for PowerShell invocation)
2. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon
1. Enable **Audit Kerberos Authentication Service**
1. Set to **Success** and **Failure** (Event IDs 4768, 4771)
2. Enable **Audit Kerberos Service Ticket Operations**
1. Set to **Success** and **Failure** (Event ID 4769)
3. Enable **Audit Other Account Logon Events**
1. Set to **Success** and **Failure** (Event ID 4776)
3. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff
1. Enable **Audit Logoff**
1. Set to **Success** (Event ID 4634 for session termination)
2. Enable **Audit Other Logon/Logoff Events**
1. Set to **Success** and **Failure** (Event IDs 4648, 4778, 4779, 4800, 4801)
4. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
1. **Audit Logon**: Enable **Success** and **Failure** to cover local, interactive, and remote logon types (e.g., RDP, network).
2. **Audit Account Lockout**: Enable **Success** and **Failure**
3. **Audit Special Logon**: Enable **Success** (privileged logons, e.g., admin rights)
4. **Audit User Account Management**: Enable **Success** and **Failure** (user creation, changes)
5. **Audit Security Group Management**: Enable **Success** and **Failure** (group creation, changes)
6. **Audit Audit Policy Change**: Enable **Success** and **Failure** (audit policy modifications)
7. **Audit Security System Extension**: Enable **Success** and **Failure** (log settings changes)
8. **Privilege Use**: \[Recommendation] Disabled or **Failure** only (Event IDs 4673, 4674)
9. **Process Creation**: \[Recommendation] Enabled **Success** (Step 6, Event ID 4688)
10. **File and Registry Access (Object Access)**: \[Recommendation] **Disabled** or **Failure** only (Event IDs 4656, 4663)
1. \[Optional] If needed, enable selectively via SACLs on specific objects (out of scope)
8. **Enable Task Scheduler Logging**
1. Computer Configuration > Policies > Administrative Templates > Windows Components > Task Scheduler
2. Enable **"Turn On logging for task registration"**
1. This generates events for scheduled task creation, modification, and execution (Event IDs 106, 200, 201)
## Configure Windows Event Collector
1. Identify a server (should match the server identified and set in group policy above), which must run a supported Windows Server release (Server 2016 or newer).
If you follow our recommendations above to disable WinRM incoming traffic on the monitored Windows hosts, make sure that setting does NOT apply to the WEC server, or WEC will not work.
2. Download `WEC-Setup.ps1` from Wirespeed's Github: [https://github.com/WirespeedSecurity/utils/](https://github.com/WirespeedSecurity/utils/)
3. Create the directory `C:/Program Files/Wirespeed` and move the script there. Open a powershell terminal running as an administrator in this directory and execute the script with `./WEC-Setup.ps1`. This script will:
1. Enable and configure the Windows Remote Management (WinRM) service: a dependency for WEC.
2. Set the Windows Event Collector service (`wecsvc`) to start automatically and start it immediately using `wecutil qc`.
3. Add the `NT AUTHORITY\Network Service` account to the local `Event Log Readers` group to ensure the proper permissions for event collection.
4. Create firewall rules to allow inbound traffic on ports 5985 (WinRM over HTTP) and 5986 (WinRM over HTTPS) for WEF communication.
5. Configure the WEC server to forward its own Windows events to itself (localhost) via HTTP on port 5985, enabling self-monitoring by setting the registry key `HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager`.
6. Create a source-initiated WEC subscription named "Security and PowerShell Events" to collect events from the Security, Microsoft-Windows-PowerShell/Operational, Windows PowerShell, System, and Application logs, using HTTP and storing events in the ForwardedEvents log.
4. To validate the configuration:
1. Check the `ForwardedEvents` log in Event Viewer (`eventvwr.msc`) on the WEC server to confirm that events from source systems (and the WEC server itself) are being collected.
2. Review the setup log at `C:\Program Files\Wirespeed\collector.log` for any errors or confirmation of successful configuration steps.
3. Generate a test event on a source system (e.g., `eventcreate /Id 500 /D "Test event" /T ERROR /L System`) and verify it appears in the WEC server's `ForwardedEvents` log.
All of the script's actions and errors are recorded in a log file at `C:\Program Files\Wirespeed\collector.log` for any additional validation or debugging required.
## Configure Log Forwarding
For more information, reference the official documentation for [Winlogbeat](https://www.elastic.co/docs/reference/beats/winlogbeat/) and [Logstash](https://www.elastic.co/docs/reference/logstash).
### Installing and Configuring Winlogbeat
Installation is based on Elastic's official [Winlogbeat installation guide](https://www.elastic.co/docs/reference/beats/winlogbeat/winlogbeat-installation-configuration).
1. Download and install Winlogbeat
1. Download the zip file from the [downloads page](https://www.elastic.co/downloads/beats/winlogbeat)
2. Extract the contents into `C:\Program Files`
3. Rename the `winlogbeat-` directory to `Winlogbeat`
4. Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator)
5. From the PowerShell prompt, run the following commands to install the service
1. `cd 'C:\Program Files\Winlogbeat'`
2. `.\install-service-winlogbeat.ps1`
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: `PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1`.
1. Configure Winlogbeat
1. In `winlogbeat.yml`, replace the existing contents with the configurations below:
```yaml theme={null}
winlogbeat.event_logs:
- name: Security
ignore_older: 72h
- name: System
ignore_older: 72h
- name: Application
ignore_older: 72h
- name: Microsoft-Windows-PowerShell/Operational
ignore_older: 72h
- name: ForwardedEvents
ignore_older: 72h
output.logstash:
hosts: ["localhost:5044"]
ssl.enabled: false
codec.json:
pretty: false
```
This is a very basic configuration. It's recommended to learn more about Winlogbeat configuration options and tailor the above to meet your specific needs. Please see [Elastic's official documentation](https://www.elastic.co/docs/reference/beats/winlogbeat/configuring-howto-winlogbeat) for all available configuration options.
### Installing and Configuring Logstash
Logstash requires one of the following:
* Java 17
* Java 21
1. Download and install Logstash
1. Download the zip file from the [downloads page](https://www.elastic.co/downloads/logstash)
2. Extract the contents into `C:\Program Files`
3. Rename the `logstash-` directory to `Logstash`
4. Navigate to the `C:\Program Files\Logstash\config\` directory
2. Configure Logstash
1. Obtain a domain name from a Wirespeed engineer using the in-platform chat, or by emailing [support@wirespeed.co](mailto:support@wirespeed.co)
2. Edit `logstash.conf` to gather events from Winlogbeat to ship to Wirespeed:
1. Replace the contents of the existing `logstash.conf` with the contents below (or create if none exists):
```
input {
beats {
port => 5044
ssl_enabled => false
}
}
filter {
# Fix the field reference - use winlog.event_id for Windows events
if [winlog][event_id] {
mutate {
add_field => { "event_id" => "%{[winlog][event_id]}" }
}
}
# Alternative field paths depending on your beat version
if [event][code] {
mutate {
add_field => { "event_id" => "%{[event][code]}" }
}
}
}
output {
http {
url => "https://:42124"
http_method => "post"
codec => "json"
}
}
```
2. Replace `` with the domain provided by the Wirespeed engineer
3. Edit `logstash.yml` to recognize the new configuration by default
1. Append the following lines to the file, then save it and close:
```yaml theme={null}
config.reload.automatic: true # Automatically reload config if logstash.conf changes
path.config: "C:\\Program Files\\Logstash\\config\\logstash.conf" # Sets the default config file
```
This is a very basic configuration. It's recommended to learn more about Logstash configuration options and tailor the above to meet your specific needs. Please see [Elastic's official documentation](https://www.elastic.co/docs/reference/logstash) for all available configuration options.
4. Install Logstash as a Service
It's recommended to run logstash manually to ensure the configuration is valid prior to running as a service. See more information here: [Running Logstash Manually](https://www.elastic.co/docs/reference/logstash/running-logstash-windows#running-logstash-windows-manual)
**Recommended:** Read more about this setup here: [Running Logstash as a service with NSSM](https://www.elastic.co/docs/reference/logstash/running-logstash-windows#running-logstash-windows-nssm)
1. Download and install NSSM
1. [https://nssm.cc/download](https://nssm.cc/download) and extract `nssm.exe` from `nssm-\win64\nssm.exe` to `Logstash\bin\`
2. Use NSSM to create Logstash service
1. Open a PowerShell terminal as an administrator and run the following command to install Logstash as a service:
1. `cd "C:\Program Files\Logstash\bin"`
2. `.\nssm.exe install logstash`
2. Once the `NSSM service installer` window appears, specify the following parameters in the `Application` tab:
1. **Path**: `C:\Program Files\Logstash\bin\logstash.bat`
2. **Startup Directory**: `C:\Program Files\Logstash\bin`
3. Click **Install Service** and then **Ok**
5. Start Logstash and WinLogbeat:
1. `Start-Service logstash`
2. `Start-Service winlogbeat`
3. Verify the services are running with
1. `Get-Service Logstash`
2. `Get-Service winlogbeat`
6. Contact a Wirespeed engineer via in-platform chat or by emailing [support@wirespeed.co](mailto:support@wirespeed.co) to ensure logs are flowing as expected