Comments (1)
I've also wondered about the trade-off of rendered vs unrendered events mode and if using the events mode can save on network bandwidth?
WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
At a guess, it depends:
- If your collection server has an agent that needs to render the text before ingesting e.g. into your SIEM or log data lake, then the collection sever has to expend the CPU rendering the text anyhow?
- It's more scalable for each source to render than have a central collection server rendering?
- If your source systems have log providers not common to the base OS install, you might get "Event Message Not Found" or other rendering related errors because the collection server doesn't have the DLLs needed to render the events?
I guess the 2nd point is moot if the subscriptions are specific enough to avoid selecting broadly such that they'd also collect on non-base OS apps logging, e.g. SQL, exchange, etc sharing event logs where the collector doesn't have the event provider dll files installed.
from windows-event-forwarding.
Related Issues (20)
- Don't hide Microsoft signed entries in AutorunsToWinEventLog HOT 1
- Wrapping of Image_Path and Hashes HOT 5
- Recommended WEC Server Hardware Specifications HOT 4
- DUMMY_EVENT & DUMMY_TEMPLATE in custom channels HOT 2
- character encoding problems with some files HOT 2
- Server 2016 collector woe HOT 1
- wecutil ss error x057 HOT 4
- Authentication suppression rule may be a little aggressive for some HOT 1
- Are all servers/ workstations supposed to subscribe to all subscriptions? HOT 3
- wecsvc stops working after a while HOT 26
- EventID 4648 not included
- WEC won't forward events to self if WinRM GPO doesn't include IPv6 filter HOT 3
- Collector Server HOT 3
- Event Providers and Channels - DB Audit Events
- Software-Restriction-Policies.xml incorrect syntax HOT 2
- Download of Autorunsc64.exe Incorrectly Uses HTTPS HOT 3
- Add WEF subscription for TPM-WMI HOT 2
- Add WEF Subscriptions for Exploit Guard ASR HOT 1
- Add WEF Subscriptions for Exploit Guard HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from windows-event-forwarding.