search

WEF

The Windows Event Forwarding (WEF) Source in Observo AI collects Windows event logs from multiple Windows machines in a centralized manner. It implements the Windows Event Forwarding protocol, allowing Windows clients to push their event logs to a central collector for continuous monitoring, security analysis, and compliance reporting for enhanced observability of Windows-based systems and applications.

hashtag
Purpose

The purpose of the Observo AI Windows Event Forwarding source is to enable users to collect Windows event logs from distributed log agents into the Observo AI platform for centralized analysis and processing. It facilitates the aggregation of structured Windows events through secure WEF protocol connections, allowing organizations to streamline security monitoring, enhance infrastructure observability, and support use cases such as compliance auditing, security incident detection, system health monitoring, and forensic analysis by processing Windows event streams from diverse endpoints across Active Directory domains and workgroups.

hashtag
Prerequisites

Complete the following prerequisites in order before configuring WEF.

hashtag
1. Windows PKI Infrastructure

Ensure you have an Active Directory Certificate Services (AD CS) infrastructure or another Certificate Authority capable of issuing certificates.

Important: The same CA must issue both server and client certificates. This is a Windows Event Forwarding requirement—see Microsoft's documentation on source-initiated subscriptionsarrow-up-right.

hashtag
2. Obtain Certificates

You will need:

Certificate
Purpose
How to Obtain

Server Certificate

Observo collector identity

Request from your CA with Server Authentication EKU

Server Private Key

TLS authentication

Exported with the server certificate

CA Certificate

Validate Windows client certificates

Export from your CA (public key only)

To request a server certificate:

  1. On any domain-joined machine, open certlm.msc

  2. Right-click Personal > CertificatesAll TasksRequest New Certificate

  3. Select a template with Server Authentication EKU (e.g., "Web Server")

  4. Enter the Observo collector's FQDN as the Common Name (CN) or Subject Alternative Name (SAN)

  5. Complete the wizard and export the certificate with private key (.pfx)

To export the CA certificate:

See Obtaining the CA Certificate Thumbprint for detailed steps.

hashtag
3. Network and Connectivity

Requirement
Details

Firewall

Allow inbound TCP on port 5986 (TLS) to the Observo collector

DNS

Windows clients must resolve the collector's FQDN

Load Balancer

If used, configure SSL passthrough or terminate TLS at the collector

hashtag
4. Windows Clients

Requirement
Details

Windows Version

Windows Server 2008 R2+ or Windows 7+

WinRM Service

Must be enabled on all forwarding clients

Group Policy Access

Required to configure subscription manager

hashtag
Integration

hashtag
Step 1: Configure Observo AI WEF Source

  1. Log in to Observo AI

  2. Navigate to the Sources tab

  3. Click Add SourceCreate New

  4. Choose Windows Event Forwarding from the list

hashtag
Step 2: General Settings

Setting
Description
Example

Name

Unique identifier for the source

wef-domain-controllers, wef-security-servers

Description

Optional description

Security events from DCs

Socket Address

Address where collector listens for WEF connections

0.0.0.0:5986

Collector Callback Address

Address clients use to reach collector (for NAT/LB scenarios)

collector.example.com:5986

Socket Address examples:

Example
Description

0.0.0.0:5986

Listen on all interfaces, port 5986 (HTTPS/TLS)

192.168.1.100:5986

Listen on specific IP address

hashtag
Step 3: Authentication

Setting
Description

Authentication Type

TLS (Mutual Certificate Authentication)

Server Certificate Path

Path to server certificate (DER, PEM, or PKCS#12)

Server Private Key Path

Path to server private key (PEM format)

CA Certificate Path

Path to CA certificate for validating client certificates

Verify Client Certificate

Enable to validate client certificates (recommended for production)

Verify Client Hostname

Enable to match client hostname to certificate CN

Example paths:

Setting
Example

Server Certificate

/opt/observo/certs/wef-server.pem

Server Private Key

/opt/observo/certs/wef-server-key.pem

CA Certificate

/opt/observo/certs/enterprise-ca.pem

hashtag
Step 4: Subscriptions

Configure one or more subscriptions to define which Windows events to collect.

Setting
Description
Example

Subscription Name

Name for this subscription

windows-security-events

Event Query (XML)

XPath filter for events

See Windows Event Query Languagearrow-up-right

Heartbeat Interval

Seconds between client heartbeats

3600

Max Envelope Size

Maximum batch size in bytes

512000

Max Elements per Envelope

Maximum events per batch

100

Connection Retry Count

Retry attempts for failed deliveries

5

Connection Retry Interval

Seconds between retries

60

Max Delivery Time

Seconds to wait for acknowledgment

30

Allowed Client Principals

Whitelist of allowed client CNs (empty = allow all)

CN=dc01.corp.local

Read Existing Events

Replay historical events

Disabled

Example Event Query:

hashtag
Step 5: Advanced Settings

Note: These settings are pre-configured with sensible defaults and typically do not need to be modified. Only adjust these if you have specific requirements or are instructed to do so by Observo support.

Setting
Description
Default

Persistence Backend

Storage for subscription metadata

PostgreSQL

PostgreSQL Host

Database server hostname

observo-db-rw.observo-client.svc.cluster.local

PostgreSQL Port

Database port

5432

Database Name

Database name

wef

Database User

Database username

wef

Database Password

Database password

(masked)

SSL Mode

PostgreSQL SSL mode

prefer

Connection Pool Size

Max concurrent connections

16

Max Content Length

Max HTTP request body size

512000

hashtag
Parser Config

After configuring the WEF source, configure parsing for the Windows XML event format.

  1. In the left sidebar, click Parser Config

  2. Enable Source Log Parser and select Windows XML Parser

  3. Configure parser settings:

Setting
Description
Options

Bypass Transform

Skip transformation steps

Default: off

Add Filter Conditions

Filter which events get processed

Default: off

Log Agent

Output format

Observo, Winlogbeat, Splunk UF, Otel Agent

New Field Name

Field name for parsed events

win, windows, event

hashtag
Pipeline Configuration

hashtag
Step 1: Create a New Pipeline

  1. Navigate to Pipelines section

  2. Click Add Pipeline

  3. In Add Source, select the configured WEF source

  4. In Destination, select the target for log ingestion

hashtag
Step 2: Add Windows Serializer Transform

  1. Click + to add transforms

  2. Select Serializer > Windows Serializer

  3. Configure settings:

Setting
Description
Options

Name

Transform name

windows-to-splunk

Input Field

Field containing parsed event data

win (match Parser Config)

Output

Destination format

Splunk, Raw, Azure Sentinel

hashtag
Step 3: Deploy Pipeline

  1. Click Deploy Pipeline

  2. Monitor logs to verify event flow

Common configurations:

Destination
Output Setting

Splunk

Splunk

Azure Sentinel

Azure Sentinel

S3 or other storage

Raw

hashtag
Windows Client Configuration

After completing the Observo AI setup, configure Windows clients to forward events.

hashtag
Obtaining the CA Certificate Thumbprint

The IssuerCA parameter in the Group Policy configuration requires the SHA1 thumbprint of the Certificate Authority.

Run on: Any domain-joined Windows machine

hashtag
Using PowerShell

hashtag
Using Certificate Manager

  1. Open certlm.msc

  2. Navigate to Trusted Root Certification Authorities > Certificates

  3. Double-click your CA certificate

  4. Select the Details tab

  5. Scroll to Thumbprint and copy the value

hashtag
On the CA Server Directly

hashtag
Thumbprint Format

Remove all spaces from the thumbprint before using in the GPO configuration:

hashtag
Configuring the Subscription Manager (GPO)

Configure Windows clients to forward events to the Observo AI collector using Group Policy.

hashtag
Step 1: Enable WinRM on Windows Clients

On each Windows client, open an elevated command prompt and run:

hashtag
Step 2: Configure the Subscription Manager Policy

  1. Open Group Policy Management (gpmc.msc) on a Domain Controller

  2. Create a new GPO or edit an existing one linked to the OU containing your Windows clients

  3. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Event Forwarding

  4. Double-click Configure target Subscription Manager

  5. Select Enabled

  6. Under Options, click Show...

  7. Enter the Subscription Manager URL:

    Example:

  8. Click OK twice to save

hashtag
Step 3: Apply the Policy

On Windows clients, open an elevated command prompt and run:

hashtag
Subscription Manager URL Parameters

Parameter
Description

Server

Full URL to the Observo collector endpoint. Use HTTPS for TLS.

Refresh

Interval in seconds for subscription update checks. Recommended: 60 (active) or 3600 (stable).

IssuerCA

SHA1 thumbprint of the CA certificate (no spaces).

Note: The URL path /wsman/wec is case-sensitive.

hashtag
Registry Alternative

Configure the Subscription Manager directly via registry:

For more information, see Microsoft's documentation on source-initiated subscriptionsarrow-up-right.

hashtag
Security Event Log Access (SDDL)

By default, the Network Service account cannot read the Security event log. To forward Security events, grant read access using one of these methods.

hashtag
Option 1: Local Security Policy (Single Machine)

  1. Open Local Security Policy (secpol.msc)

  2. Navigate to: Local Policies > User Rights Assignment

  3. Double-click Manage auditing and security log

  4. Click Add User or Group

  5. Enter NETWORK SERVICE and click Check Names

  6. Click OK twice to save

hashtag
Option 2: Group Policy (Domain-Wide)

  1. Open Group Policy Management (gpmc.msc)

  2. Edit the GPO linked to your Windows clients

  3. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

  4. Double-click Manage auditing and security log

  5. Check Define these policy settings

  6. Click Add User or Group and add NETWORK SERVICE

  7. Click OK to save

hashtag
Option 3: Configure Log Access SDDL (GPO)

For granular control, configure the Security log SDDL directly:

  1. Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service > Security

  2. Double-click Configure log access

  3. Select Enabled

  4. Enter the following SDDL string:

  5. Click OK to save

hashtag
SDDL Breakdown

Entry
Description

O:BA

Owner: Built-in Administrators

G:SY

Group: Local System

(A;;0xf0007;;;SY)

Allow System full access

(A;;0x7;;;BA)

Allow Built-in Administrators read, write, clear

(A;;0x1;;;BO)

Allow Backup Operators read

(A;;0x1;;;SO)

Allow Server Operators read

(A;;0x1;;;S-1-5-32-573)

Allow Event Log Readers group read

(A;;0x1;;;S-1-5-20)

Allow Network Service read

hashtag
Apply Changes

After configuring, either:

  • Reboot the Windows client, or

  • Run gpupdate /force and restart the Windows Event Log service:

For more information, see Microsoft's troubleshooting guidearrow-up-right.

hashtag
Client Certificate Permissions

For TLS authentication, the Network Service account must have read access to the client certificate's private key.

hashtag
Configure Private Key Permissions

  1. Open Certificate Manager for Local Machine (certlm.msc)

  2. Navigate to: Personal > Certificates

  3. Right-click the client certificate used for WEF

  4. Select All Tasks > Manage Private Keys...

  5. Click Add

  6. Enter NETWORK SERVICE and click Check Names

  7. Ensure Read permission is checked

  8. Click OK to save

hashtag
Verify Certificate Configuration

Requirement
How to Verify

Issued by correct CA

Check Issued By field matches your CA

Not expired

Check Valid From and Valid To dates

Has private key

Certificate icon shows a key

Client Authentication EKU

Details > Enhanced Key Usage includes "Client Authentication"

hashtag
Deploying Certificates via Group Policy (Auto-Enrollment)

  1. Open Group Policy Management (gpmc.msc)

  2. Edit the GPO linked to your Windows clients

  3. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies

  4. Double-click Certificate Services Client - Auto-Enrollment

  5. Set Configuration Model to Enabled

  6. Check both:

    • Renew expired certificates, update pending certificates, and remove revoked certificates

    • Update certificates that use certificate templates

  7. Click OK to save

Note: Auto-enrollment requires an AD CS infrastructure with appropriate certificate templates published.

For more information, see Microsoft's certificate autoenrollment guidearrow-up-right.

hashtag
Applying Configuration

After completing all configuration steps, apply changes to Windows clients.

hashtag
Force Group Policy Update

hashtag
Verify WinRM Service

If not running:

hashtag
Verify Event Forwarding Configuration

hashtag
Test Connectivity

hashtag
Verify Subscription Status

hashtag
Troubleshooting

hashtag
Collector-Side Issues

Issue
Possible Cause
Resolution

No events received

Windows clients not configured

Verify GPO settings and subscription configuration

Certificate errors

Invalid or expired certificates

Check certificate validity and CA chain

Connection failures

Firewall blocking WEF port

Verify firewall allows TCP 5986

"Failed to bind to address"

Port in use or permissions issue

Check for conflicting services

"TLS handshake failed"

Certificate configuration error

Verify server cert, private key, and CA cert paths

"Database connection failed"

PostgreSQL unreachable

Test database connectivity and credentials

"Event query invalid"

XML syntax error

Validate Event Query XML syntax

High event loss

Envelope size too small

Increase Max Envelope Size setting

hashtag
Windows Client-Side Issues

hashtag
Windows Event Logs to Check

Log
Location in Event Viewer

CAPI2

Applications and Services Logs > Microsoft > Windows > CAPI2 > Operational

EventForwarding-Plugin

Applications and Services Logs > Microsoft > Windows > Forwarding-Plugin > Operational

Windows Remote Management

Applications and Services Logs > Microsoft > Windows > Windows Remote Management > Operational

Note: CAPI2 log may need to be enabled. Right-click the log and select Enable Log.

hashtag
Common Client Issues

No Events Being Forwarded:

Certificate Errors:

Security Events Not Forwarding:

TLS Handshake Failures:

hashtag
Useful Commands Reference

Command
Purpose

winrm quickconfig

Configure WinRM with default settings

winrm get winrm/config

View current WinRM configuration

wecutil es

List event subscriptions

wecutil gr <name>

Get subscription runtime status

gpupdate /force

Force Group Policy refresh

gpresult /r

View applied Group Policies

certutil -store My

List certificates in Personal store

hashtag
Resources

hashtag
Microsoft Documentation

hashtag
Additional Resources

PreviousWebsocketNextWiz

Last updated

Was this helpful?