Implement Windows Event Forwarding

Summary Checklist for the Setup of Event Forwarding

  1. Install and disable the BeyondTrust agent.

    We recommend doing this step before creating a subscription. A reboot is required for the service to be available to the subscription. The Avecto Defendpoint Service must be set to Disabled to deactivate the agent.

  2. Run WinRM quickconfig
  3. Run Wecutil qc
  4. Create and name subscription in Event Viewer.
Name BeyondTrust Events
Destination Forwarded event Log
Type Source Initiated subscription
Source Computers: Domain Computers or other group containing computers in scope
Select Events:    
  Event Level:  
  By Source: Avecto Defendpoint Service / BeyondTrust Endpoint Privilege Management
Advanced: Minimize Latency

 

  1. Run wecutil ss <subscriptionname> /cf:Events

    This changes the subscription from the default behavior of RenderedText to Events, which has the dual benefit of reducing source computer CPU overhead and the event size.

  2. Run wecutil ss <subscriptionname> /ree:True

    This setting ensures all desired events in the Application event log on a source computer are forwarded to the event collector; the default behavior is to only forward future (arriving) events from the point the subscription begin. This can result in missing data.