Implement Windows Event Forwarding
Summary Checklist for the Setup of Event Forwarding
- Install and disable the BeyondTrust agent.
We recommend doing this step before creating a subscription. A reboot is required for the service to be available to the subscription. The Avecto Defendpoint Service must be set to Disabled to deactivate the agent.
- Run WinRM quickconfig
- Run Wecutil qc
- Create and name subscription in Event Viewer.
|Destination||Forwarded event Log|
|Type||Source Initiated subscription|
|Source Computers:||Domain Computers or other group containing computers in scope|
|By Source:||Avecto Defendpoint Service / BeyondTrust Privilege Management|
- Run wecutil ss <subscriptionname> /cf:Events
This changes the subscription from the default behavior of RenderedText to Events, which has the dual benefit of reducing source computer CPU overhead and the event size.
- Run wecutil ss <subscriptionname> /ree:True
This setting ensures all desired events in the Application event log on a source computer are forwarded to the event collector; the default behavior is to only forward future (arriving) events from the point the subscription begin. This can result in missing data.
For more information, please see the following: