Where are Windows Event Forwarding (WEF) subscriptions filters applied?

New Contributor

I configured Windows Event Forwarding (WEF) in my LAB domain and I'm setting up subscriptions. My subscription is configured on my DC and is source-initiated, the collector is DC01.acme.com and sources are WIN7.acme.com and WIN10.acme.com. Suppose I have the following query filter configured for my subscription:


Query filter image

Image from https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-event-forwarding


This means that I only want Security event logs with ID 4776 forwarded to DC01.acme.com, this works like a charm, no issues here. My only question is: where is the filter really applied, in the DC (collector) or in the workstations (sources)? In my mind there are two possible scenarios:


  1. Source forwards all event logs, those logs arrive at the collector and then the collector applies the filter
  2. Source applies the filter locally and only forward the intended event logs to the collector


I really wish the answer to my question is number 2, because this will save me a LOT of bandwidth. I couldn't find a clear answer in Microsoft docs.

0 Replies