Forum Discussion
AndrewX
Sep 07, 2019Iron Contributor
Windows WEF subscriptions evaluation
Hello
I have searched online and cannot find an answer around how Windows Event Forwarding subscriptions are evaluated, in what priority or order, when there are overlapping subscriptions or conflicts. I also cannot seem to decipher the outcomes when i test. Here goes.
My base config is Source Initiated, applies to all Domain Controllers and Domain Computers. I use GP to enable security auditing across most of the auditing categories, as per MS, ASD, Palantir, SwiftOnSecurity and IGOR documentation. I have the Network Service as an Event Log Readers group member across the entire domain.
- If i create a GUI initiated subscription to collect the entire Security event log, all of my computers quickly subscript and i see all kinds of security related event IDs.
- If i copy paste the XML query from the GUI for the subscription above, drop it into a subscription XML file, and create the subscription using wecutil cs <name.xml>, i get no logs forwarded. All the clients stop sending logs. There are no Event Forwarder Plugin Events 102 errors either.
-- The XML Query
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
</Query>
</QueryList>
Question: Why does the exact same subscription work when created using the GUI vs created using the XML file (preferred)?
No RepliesBe the first to reply