Windows WEF subscriptions evaluation

Iron Contributor



I have searched online and cannot find an answer around how Windows Event Forwarding subscriptions are evaluated, in what priority or order, when there are overlapping subscriptions or conflicts. I also cannot seem to decipher the outcomes when i test.  Here goes.


My base config is Source Initiated, applies to all Domain Controllers and Domain Computers.  I use GP to enable security auditing across most of the auditing categories, as per MS, ASD, Palantir, SwiftOnSecurity and IGOR documentation.  I have the Network Service as an Event Log Readers group member across the entire domain.


  • If i create a GUI initiated subscription to collect the entire Security event log, all of my computers quickly subscript and i see all kinds of security related event IDs.
  • If i copy paste the XML query from the GUI for the subscription above, drop it into a subscription XML file, and create the subscription using wecutil cs <name.xml>, i get no logs forwarded.  All the clients stop sending logs.  There are no Event Forwarder Plugin Events 102 errors either.
    -- The XML Query
  <Query Id="0" Path="Security">
    <Select Path="Security">*</Select>


Question:  Why does the exact same subscription work when created using the GUI vs created using the XML file (preferred)?

0 Replies