0

I configured Windows Event Forwarding (WEF) in my LAB domain and I'm setting up subscriptions. My subscription is configured on my DC and is source-initiated, the collector is DC01.acme.com and sources are WIN7.acme.com and WIN10.acme.com. Suppose I have the following query filter configured for my subscription:

enter image description here

This means that I only want Security event logs with ID 4776 forwarded to DC01.acme.com, this works like a charm, no issues here. My only question is: where is the filter really applied, in the DC (collector) or in the workstations (sources)? In my mind there are two possible scenarios:

  1. Source forwards all event logs, those logs arrive at the collector and then the collector applies the filter
  2. Source applies the filter locally and only forward the intended event logs to the collector
JChris
  • 103
  • 3

1 Answers1

1

To answer your question, the filtering is applied on the source (like servers, workstations, ...) and not on the collector. This means that if you specify a single event ID, your collector server will just collect the specified event ID (option 2 based on your question).

Michel de Crevoisier
  • 571
  • 4
  • 9
  • Thank you so much for the answer. Is there a Microsoft source for that or did you find it out by experience and/or trial and error? For example, how can the source knows that it only needs to forward security events ID XYZ? Does it get this information from the subscription manager URL GPO (Server=hxxp://dc01.acme.com:5985/wsman/SubscriptionManager/WEC,Refresh=60)? – JChris May 22 '18 at 11:02
  • 1
    The source knows which events ID to send based on the query filter you have defined inside the subscription (as in your picture). Indeed, each subscription has its own query filter which is applied to a specific group of hosts in order to send only the requested event ID. This information is provided by Microsoft in their very good documentation : https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection – Michel de Crevoisier May 23 '18 at 08:11