WEC server requirements
While there is no clear guidance from Microsoft on this, here are some specifications to consider:
Minimum Specifications:
OS Version | Windows Server 2019 |
CPU | 8 cores |
Memory (RAM) | 16 GB |
Dedicated Storage (logs) | 100 GB |
Max clients | 500 |
Desirable Specifications:
OS Version | Windows Server 2022 |
CPU | 16 or 32 cores |
Memory (RAM) | 32 GB |
Dedicated Storage (logs) | 200 GB |
Max clients | 1000 |
Performance expected
The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions.
Scalability is affected by:
- Disk write speed: Isolate the local event log (EVTX) file to its own array or use high speed disks to maximise the number of events per second that the WEC server can record.
- Network connections: The number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server.
- Registry size: Storing information about every WEF subscription can increase the registry to an unmanageable size over time if it isn’t pruned regularly.
Disk recommendations
The disk size required depends primarily on your redundancy and business continuity planning requirements.
Winlogbeat Agent pushes out logs to SOC as they become available to it. It only needs to store logs between receiving them and successfully passing them to SOC. So it needs minimal storage available, assuming that connectivity to SOC is always available.
Fast disks are recommended to improve write performance.
Number of WEC servers to use
We recommend dedicating different WEC servers for workstations, member servers and domain controllers. This helps to distribute the load and processing of events. See Microsoft’s article on best practice for configuring EventLog forwarding performance.
WEC server models
While every implementation will look different, depending on your organisation’s needs and system requirements, SOC has developed some baseline models that will provide a rough approximation of the resources you might need.
Large Go8 university: 55k students
Fleet size: More than five hundred Windows servers and more than ten thousand Windows workstations.
9 WEC servers, all virtual machines:
- 3 to collect from domain controllers.
- 3 to collect from member servers.
- 3 to collect from workstations.
WEC server specs: 16 CPUs, 32GB RAM, 200GB disk where the event log files exist.
Medium size university: 15k students
Fleet size : Less than five hundred Windows servers and less than five thousand Windows workstations.
3 WEC servers, all virtual machines:
- 1 to collect from domain controllers.
- 1 to collect from member servers.
- 1 to collect from workstations.
WEC server specs: 16 CPUs, 16GB RAM, 100GB disk where the event log files exist.
Small university: 5k students
Fleet size : Few hundred Windows servers and approx 1000 workstations.
2 WEC servers, both virtual machines:
- 1 to collect from servers.
- 1 to collect from workstations.
WEC server specs : 8 CPUs, 16GB RAM, 200GB disk.
Redundancy and load balancing
AARNet doesn’t recommend that you use multiple WEC servers to collect the same event log files. This wastes resources, and causes extra processing work for the SIEM, as it has to identify and weed out identical logs.
Windows Event Forwarding does not natively support load balancing. However, if you need this capability, Supercharger for Windows Event Logging Enterprise edition provides load balancing across WEC servers.
Configure the WEC server
Set the server to:
- Overwrite the last event first when it reaches its disk allocation limit. Winlogbeat
Open TCP port:
- 5985 inbound to the WEC server.
- 443 (HTTPS) outbound to allow the WEC to send logs to SOC’s SIEM.
Prepare the server for event forwarding
These instructions will help you set up a WEC server for receiving events and forwarding them to SOC. If you need more in-depth information, see the WEC Server Cookbook published by Elastic.
Note: If you built the WecFwdChans.dll
and WecFwdChans.man
on a different system with the Windows SDK, copy them into the wec_pepped
directory on the current WEC server, and ensure that the wec_config.ps1
is the same on both systems.
- Download and unpack the latest ZIP file from the WEC_Pepped GitHub repository.
- Edit
wec_config.ps1
using PowerShell ISE.
Modify:- Providers
- Group/OU mapping
- Channels
- Download and install the Windows 8.1 SDK.
- Open a PowerShell console, navigate to the unpacked directory.
- Run:
.\gen_manifest.ps1
- Check that the
build_man2dll.ps1
build script andWecFwdChans.man
file are in the same directory. - Run the build script:
.\build_man2dll.ps1
The build script will create a newWecFwdChans.dll
file in the same directory, as well as a number of other intermediary files that you can ignore. - In an administrator PowerShell console, run:
.\install_channels.ps1
- In an administrator PowerShell console, run:
.\configure_channels.ps1
Note: Re-run the script if you need to apply configuration changes towec_config.ps1
. - To use a quick-configuration setup for the WEC service, in an administrator PowerShell console, run:
wecutil.exe qc
See Microsoft’s wecutil.exe documentation for more options. - In an administrator PowerShell console, run:
.\setup_subscriptions.ps1
Note: If you make changes inwec_config.ps1
that affect these subscriptions, such as changing a channel’s filter, run this script again to update all your existing subscriptions. - Create a group policy for Windows event forwarding.
- Link the new WEF Policy to the relevant Organizational Units in your Active Directory.
- Right-click the relevant OU and click Link an Existing GPO.
- Select WEF Policy.
- Click OK.
- Add Network Service to Event Log Readers in your Active Directory Builtin container.
This ensures that your Domain Controllers will be able to forward logs.Go to the Active Directory Users and Computer management console.- Click the Builtin OU.
- Double-click Event Log Readers.
- Click the Members tab.
- Click Add.
- Enter Network Service.
- Click Check Names.
- Click OK.
- Click Apply and OK.
Install Winlogbeat
Install Winlogbeat on the WEC server.
Configure Winlogbeat
Copy the configuration file provided by SOC into the Winlogbeat installation directory.
Record WEC server’s public IP address
When you’ve finished configuring Winlogbeat, record the public IP address for the WEC server and send it to the AARNet team. AARNet will add it to the SIEM safelist.
Check that HTTPS traffic can move from the WEC server to the SIEM
During the network setup, you should have opened a port on your firewall to allow the WEC server to send HTTPS traffic on port 443 to the AARNet SIEM. Check that this is open and working as expected.
Organise logs on your WEC server
Decide:
- Which channels to create and use.
- How to separate input from different types of machines, like domain controllers, endpoints, and servers.
Fast disks are recommended, and the WEC Channel Event log file can be put onto another disk for better performance.
Configure event forwarding to a WEC server
See Microsoft’s best practices of configuring EventLog forwarding in Windows Server.
Points to consider:
- Latency caused by subscription, network, and performance delays.
- Client connection frequency.
- Number of subscriptions and connections.
Connection interruptions
If the connection is interrupted between a WEC and SOC, the logs will be backed up on the local storage until the connectivity is restored. Then, traffic will start to flow again. Date and timestamps will be preserved.
Based on our tests, a typical build should be able to withstand at least 2hrs of connectivity loss.