Event Forwarding Implementation Scenarios

The scenarios outlined below provide an overview of the most common Windows Event Forwarding configurations, including scaled out and fault tolerant designs.

Basic Event Collection

Event forwarding implementation: Basic scenario

The basic event collection design provides an example configuration for use in small to medium size organizations, where fault tolerance is not required.

Positives

  • Supports up to 100,000 source computers connecting to a single event collector.

Negatives

  • Limited fault tolerance. If the event collector goes offline, the events are collected on the client and forwarding resumes once the event collector is back online.
  • An extended fault could result in audit event loss on the client due to log rollover. This can be mitigated by large event log size.

Scaled-Out Event Collectors

Event forwarding implementation: Scaled-out scenario

The scaled-out design provides scalability as the number of event collectors can be increased to accommodate an unlimited number of source computers.

Positives

  • Supports up to 100,000 source computers connecting to a single event collector.
  • Supports an unlimited number of source computers.
  • Accommodates broad geographic deployment or network segmentation.

Negatives

  • Limited fault tolerance. If the event collector goes offline, the events are collected on the client and forwarding resumes once the event collector is back online.
  • An extended fault could result in audit event loss on the client due to log rollover. This can be mitigated by large event log size.
  • Traffic to database across WAN links requires firewall configuration.
  • Database insert performance may be affected by slow links.

Scaled-Out Tiered Fault Tolerant Event Collection

Event forwarding implementation: Scaled-out tiered fault tolerant scenario

The design combines scalability and fault tolerance. Windows Event Forwarding supports fault tolerant event collection by transmitting events to duplicate event collectors. The solution consuming the events must identify duplicates and discard them.

Positives

  • Supports up to 100,000 source computers connecting to a single event collector.
  • Supports an unlimited number of source computers.
  • Accommodates broad geographic deployment, or network segmentation.
  • Mitigates firewall and database performance concerns by placing 2nd tier collector proximate to database.
  • Provides fault tolerance

Negatives

  • Limited fault tolerance. If the event collector goes offline, the events are collected on the client and forwarding resumes once the event collector is back online.
  • Extended fault could result in audit event loss on the client due to log rollover. Mitigated by large event log size.
  • Traffic to database across WAN links requires firewall configuration.
  • Database insert performance may be affected by slow links.

Specific hardware and software specifications varies depending on the enterprise environment in which Event Forwarding is configured. BeyondTrust’s Professional Services team can provide advice and assistance in this area if required. Please contact your account manager for more information.