Home

Windows WEF subscriptions evaluation

%3CLINGO-SUB%20id%3D%22lingo-sub-842083%22%20slang%3D%22en-US%22%3EWindows%20WEF%20subscriptions%20evaluation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-842083%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20searched%20online%20and%20cannot%20find%20an%20answer%20around%20how%20Windows%20Event%20Forwarding%20subscriptions%20are%20evaluated%2C%20in%20what%20priority%20or%20order%2C%20when%20there%20are%20overlapping%20subscriptions%20or%20conflicts.%20I%20also%20cannot%20seem%20to%20decipher%20the%20outcomes%20when%20i%20test.%26nbsp%3B%20Here%20goes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20base%20config%20is%20%3CSTRONG%3ESource%20Initiated%3C%2FSTRONG%3E%2C%20applies%20to%20all%20%3CSTRONG%3EDomain%20Controllers%26nbsp%3B%3C%2FSTRONG%3Eand%20%3CSTRONG%3EDomain%20Computers%3C%2FSTRONG%3E.%26nbsp%3B%20I%20use%20GP%20to%20enable%20security%20auditing%20across%20most%20of%20the%20auditing%20categories%2C%20as%20per%20MS%2C%20ASD%2C%20Palantir%2C%20SwiftOnSecurity%20and%20IGOR%20documentation.%26nbsp%3B%20I%20have%20the%20%3CSTRONG%3ENetwork%20Service%3C%2FSTRONG%3Eas%20an%20%3CSTRONG%3EEvent%20Log%20Readers%3C%2FSTRONG%3Egroup%20member%20across%20the%20entire%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20i%20create%20a%20GUI%20initiated%20subscription%20to%20collect%20the%20entire%20Security%20event%20log%2C%20all%20of%20my%20computers%20quickly%20subscript%20and%20i%20see%20all%20kinds%20of%20security%20related%20event%20IDs.%3C%2FLI%3E%3CLI%3EIf%20i%20copy%20paste%20the%20XML%20query%20from%20the%20GUI%20for%20the%20subscription%20above%2C%20drop%20it%20into%20a%20subscription%20XML%20file%2C%20and%20create%20the%20subscription%20using%20wecutil%20cs%20%3CNAME.XML%3E%2C%20i%20get%20no%20logs%20forwarded.%26nbsp%3B%20All%20the%20clients%20stop%20sending%20logs.%26nbsp%3B%20There%20are%20no%20Event%20Forwarder%20Plugin%20Events%20102%20errors%20either.%3CBR%20%2F%3E--%20The%20XML%20Query%3C%2FNAME.XML%3E%3C%2FLI%3E%3C%2FUL%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%3CQUERYLIST%3E%0A%20%20%3CQUERY%20id%3D%220%22%20path%3D%22Security%22%3E%0A%20%20%20%20%3CSELECT%20path%3D%22Security%22%3E*%3C%2FSELECT%3E%0A%20%20%3C%2FQUERY%3E%0A%3C%2FQUERYLIST%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestion%3A%26nbsp%3B%20Why%20does%20the%20exact%20same%20subscription%20work%20when%20created%20using%20the%20GUI%20vs%20created%20using%20the%20XML%20file%20(preferred)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-842083%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ewef%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewindows%20event%20forwarding%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

Hello

 

I have searched online and cannot find an answer around how Windows Event Forwarding subscriptions are evaluated, in what priority or order, when there are overlapping subscriptions or conflicts. I also cannot seem to decipher the outcomes when i test.  Here goes.

 

My base config is Source Initiated, applies to all Domain Controllers and Domain Computers.  I use GP to enable security auditing across most of the auditing categories, as per MS, ASD, Palantir, SwiftOnSecurity and IGOR documentation.  I have the Network Service as an Event Log Readers group member across the entire domain.

 

  • If i create a GUI initiated subscription to collect the entire Security event log, all of my computers quickly subscript and i see all kinds of security related event IDs.
  • If i copy paste the XML query from the GUI for the subscription above, drop it into a subscription XML file, and create the subscription using wecutil cs <name.xml>, i get no logs forwarded.  All the clients stop sending logs.  There are no Event Forwarder Plugin Events 102 errors either.
    -- The XML Query
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*</Select>
  </Query>
</QueryList>

 

Question:  Why does the exact same subscription work when created using the GUI vs created using the XML file (preferred)?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies