1

Aside from the deployment overhead of a log collector agent on servers from which I want to collect events (using GPO, SCCM etc.), are there any added benefits for using Windows Event Forwarding to my SIEM?

Franko
  • 135
  • 4
  • I guess this depends on the advantages (encryption, load balancing, retry, discovery) your SIEM collectors offer. – eckes Apr 23 '17 at 16:05

2 Answers2

0

Generally, there are three major advantages:

  • WEF is a native push-based solution for events
  • WEF allows filtering events, which means you can avoid sending non-critical events to your SIEM (but could instead send them to some other event DB).
  • WEF is actually centrally managed, in a way that not all SIEM connectors are - it is also part of the things you can offload (from a security admin point of view) to a more knowledgeable team

There is one other non-technical advantage, which is avoiding conflict/tension/issues due to 'the OS guys' having to deal with 'the security team' and their agent.

In most environments I have worked:

  • the Linux guys default to sending information, rather than allowing you to collect it
  • the Windows guys would prefer the Linux way, but options are limited.

If you can avoid introducing another 'critical component' (and I hope your SIEM collector would be considered that in the same sense the AV should be) for the Windows team to manage, they are generally very happy and positive about this.

The big downside here is that a SIEM collector could potentially have compression, and WEF (AFAIK) does not. Additionally, pushing data will require (in most cases) a more stable infrastructure (i.e. your receiver always needs to be available).

That, realistically, is generally doable, but it may put pressure on the support organisation for the SIEM infra.

Overall, my own argument would be to say that it is a good thing to make considering security event monitoring part of what the Windows domain should include, and I think it helps both security and operations to think about what a good logging policy might be. WEF is a more syslog-like 'analogy' for this discussion than most other options available for Windows, which I think also is a positive (because it means you have a more unified policy).

So in my view, if you can use WEF, I would - the alternatives tend (in my experience) to be harder to maintain over time. I am more of a Linux guy, though, so I am a little biased in favour of the syslog model of doing things.

iwaseatenbyagrue
  • 3,688
  • 15
  • 24
0

I think this article should help you a bit:

https://www.eventsentry.com/blog/2017/03/agent-vs-agentless-why-you-should-monitor-event-logs-with-an-agent-based-log-monitoring-solution.html

At the end of the day WEF uses an agent just the same, except that it's developed by Microsoft. I generally steer people away from WEF since your options with it are rather limited, including support, features (e.g. compression like mentioned by the other poster).

A good SIEM solution (and they are not all expensive) can give you much more functionality and result in a smoother experience.

Lucky Luke
  • 1,634
  • 1
  • 11
  • 12