Implement Windows Event Forwarding
Summary Checklist for the Setup of Event Forwarding
- Install and disable the BeyondTrust agent.
We recommend doing this step before creating a subscription. A reboot is required for the service to be available to the subscription. The Avecto Defendpoint Service must be set to Disabled to deactivate the agent.
- Run WinRM quickconfig
- Run Wecutil qc
- Create and name subscription in Event Viewer.
| Name | BeyondTrust Events | |
| Destination | Forwarded event Log | |
| Type | Source Initiated subscription | |
| Source Computers: | Domain Computers or other group containing computers in scope | |
| Select Events: | ||
| Event Level: | ||
| By Source: | Avecto Defendpoint Service / BeyondTrust Privilege Management | |
| Advanced: | Minimize Latency | |
- Run wecutil ss <subscriptionname> /cf:Events
This changes the subscription from the default behavior of RenderedText to Events, which has the dual benefit of reducing source computer CPU overhead and the event size.
- Run wecutil ss <subscriptionname> /ree:True
This setting ensures all desired events in the Application event log on a source computer are forwarded to the event collector; the default behavior is to only forward future (arriving) events from the point the subscription begin. This can result in missing data.
For more information, please see the following:
