Configuring the Windows Event Forwarder (WEF)

From TDiWiki

This document assumes two things:

You are using ConsoleWorks version 4.x
You have already installed the ConsoleWorks Windows Event Forwarder

The first step in configuring the Windows Event Forwarder (WEF) is to modify the Windows Security Policy settings on the Windows platform to be monitored. These are found in the Control Panel>Administrative Tools>Local Security Policy.

Note that Windows Operating System will turn off auditing in "Security Settings" by default. It is up to the user (that's you) to turn on auditing in each of the desired policies by right-clicking on the policy name and selecting "Properties".

By doing this, you will enable the Windows Intelligent Event Module (IEM) to capture these events and report them to ConsoleWorks. An example of some of these events is shown here.

The next step is to ensure the ConsoleWorks Server Service and ConsoleWorks WEF Service have been started by going to the Services Tool (Control Panel>Administrative Tools>Services). This is essential to ensure that the WEF captures the Windows events.

Once a console has been added and set up to accept a syslog connection, it's always a good idea to test that connection. There is a command line function to do just that by running "ConsoleWorksWEFService.exe -testsyslog", as shown here:

This will show the following result in the ConsoleWorks Monitor window:

Once the WEF is properly configured, it will begin capturing the Windows events and forwarding them via syslog to the ConsoleWorks server. An example is shown here: