question

snlkk-9582 avatar image
0 Votes"
snlkk-9582 asked JennyYan-MSFT commented

Windows event forwarding collector server log loss

We are planning and designing Windows event forwarding architecture for Security opeation Center. In this structure, logs are collecting with WEF pushing mode from Windows servers to wef servers. What happens if wef server is disconnected in this arcitecture? Will log lose? After the disconnecting and repairing connection, waiting logs for collecting from clients to wef server by wef will be collected complete? How will be realized this architecture for complete log collecting by wef on wef server?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered JennyYan-MSFT commented

Hi,

Depending on the mechanism of communication frequency and heartbeat value instructed in the KB listed below, whenever event source re-connects to a WEC server, it will resume event forwading events.

1.When you setup subscription, there are three options to determine the communication frequency between event collecter and source machines in order to keep continuous connection.
113232-2.png

2.The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription.
When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events.

Reference links:
How is client progress tracked?
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
How frequently are WEF events delivered?
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#how-frequently-are-wef-events-delivered

Multiple WEF Event Collectors is workable if you prefer a High-Availability environment by configuring multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients.



Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny





2.png (23.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

May i know if there is any update for your question?

Hope the information provided is helpful and please feel free to let us know more assistance needed.



If the Answer is helpful, please click Accept Answer and upvote it. Thanks.

Thanks,
Jenny

0 Votes 0 ·