How to use Windows Event Forwarding (WEF) with the Windows Agent

Windows Event Forwarding (WEF) is a feature in Microsoft operating systems that was introduced with Microsoft Vista. You can configure WEF to forward logs from one or many Event Source computers to a centralized Windows system. This system is typically referred to as an Event Collector. The McAfee Event Collector has been designed to read the collated logs and send them to a Receiver.

NOTE: Windows Vista is the minimum operating system required on either the Event Collector or the Event Sources.

To configure your environment:

1. Configure the Event Source systems to forward events to the WEF Event Collector.
2. Install the Agent on the WEF Event Collector.
3. Add a single host, and for Host Name/IP, add the Event Collector IP address.
4. Create a Configuration. Select Windows Event Log and name the configuration.
5. Select Forward Event in the Windows Event area.
    
   NOTE: WEF can forward to logs other than Forwarded Events. Forwarded Events is the default. 
    
6. At this point, you have two choices:
    
   • Select WEF - if you require the granularity of a data source-per-Event-Source, select the WEF box.
   • Do not select the WEF - if you have many Event Sources (for instance, Event Forwarding can be configured as part of a Domain group policy, and doing so can make it less obvious how many Event Sources are actually forwarding events), then having a data source for each Event Source might prove difficult. In this case, leave WEF deselected. This way, all events are collated under the Agent data source. 
      
7. On the Receiver, create a data source for the Event Collector. This step is necessary to open the firewall on the Receiver to allow communication between the Agent and Receiver. The settings are as follows:
    
   • Vendor: Microsoft
   • Model: WMI Event Log
   • Data Retrieval: MEF
   • Name: DS Name
   • IP Address: IP of the system that has the agent installed
   • hostID: This setting is not needed on Collector 10, but it is mandatory on Collector 11. For further information regarding adding the hostID by hostname or FQDN (Full Qualified Domain Name), refer to KB86983.
   • Use Encryption: Match what the agent has marked
   NOTE: If you did not select the WEF option above, you can skip the next step. 


8. If you did not select the WEF option above, you can skip this step. If you require a data source per Event Source, create data sources for each of the Windows systems that have the Agent installed and are forwarding events to that server. The settings are as follows:
    
   • Vendor: Microsoft
   • Model: WMI Event Log
   • Data Retrieval: MEF
   • Name: DS Name
   • IP Address: Do not use IP
   • hostID: Use the Host Name or FQDN of Windows system forwarding the logs, because the IP addresses of the Event Source systems are not in the forwarded events. The events only contain the host names or FQDN.
   • Use Encryption: Match what the agent has marked