Where are Windows Event Forwarding (WEF) subscriptions filters applied?

J

JChris-

I configured Windows Event Forwarding (WEF) in my LAB domain and I'm setting up subscriptions. My subscription is configured on my DC and is source-initiated, the collector is DC01.acme.com and sources are WIN7.acme.com and WIN10.acme.com. Suppose I have the following query filter configured for my subscription:

nBVac.png

This means that I only want Security event logs with ID 4776 forwarded to DC01.acme.com, this works like a charm, no issues here. My only question is: where is the filter really applied, in the DC (collector) or in the workstations (sources)? In my mind there are two possible scenarios:

  1. Source forwards all event logs, those logs arrive at the collector and then the collector applies the filter
  2. Source applies the filter locally and only forward the intended event logs to the collector

Continue reading...
 
You must log in or register to reply here.

Similar threads

M
Windows event Forwarding by using Source Initiated method
Replies
0
Views
42
Muthu Mahadevan
M
J
Systems not forwarding events, but getting subscription
Replies
0
Views
43
Jay9x
J
H
Configuring Windows Event Forwarding with Non Domain Computers
Replies
0
Views
847
heatguy1986
H
J
Event Log Forwarding for OOS (Office Web Apps) event log
Replies
0
Views
378
jremmc
J
R
Windows Event Collector Source Based Subscription for non-domain computers shows active, not showing any Forwarded Events
Replies
0
Views
392
Roger_That
R
Back
Top Bottom