Materials that go along with the 2018 IWS presentation. Contents of this repo:
- XML files for the subscriptions. Check out the wiki for how they work.
- winlogbeats config for the WEF servers to send to Kafka
- Logstash pipeline for windows logs
- Windows Elasticsearch index template
WEF is both awesome and a turd. The awesome part is the pub-sub concepts. To set up the subscription, try this out:
- Create a windows server
- Set up the GPO
- Load up the WEF template
wecutil.exe cs path_to_xml_file - Watch the logs stream in
Get-WinEvent -LogName ForwardedEvents -FilterHashtable @{logname='ForwardedEvents';ID=4104} -MaxEvents 10
Should you think the WEF is broken, try this out:
- List wef subscriptions
wecutil.exe es - Check out the subscription details
wecutil.exe gs [name_from_#1] - Check out the statistics
wecutil.exe gr [name_from_#1] - Retry the subscription
wecutil.exe rs [name_from_#1]