Home

Where are Windows Event Forwarding (WEF) subscriptions filters applied?

Juan Christian
New Contributor

I configured Windows Event Forwarding (WEF) in my LAB domain and I'm setting up subscriptions. My subscription is configured on my DC and is source-initiated, the collector is DC01.acme.com and sources are WIN7.acme.com and WIN10.acme.com. Suppose I have the following query filter configured for my subscription:

 

Query filter image

Image from https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-event-forwarding

 

This means that I only want Security event logs with ID 4776 forwarded to DC01.acme.com, this works like a charm, no issues here. My only question is: where is the filter really applied, in the DC (collector) or in the workstations (sources)? In my mind there are two possible scenarios:

 

  1. Source forwards all event logs, those logs arrive at the collector and then the collector applies the filter
  2. Source applies the filter locally and only forward the intended event logs to the collector

 

I really wish the answer to my question is number 2, because this will save me a LOT of bandwidth. I couldn't find a clear answer in Microsoft docs.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies