Consolidating windows domains
Turn on Windows Remote Management (WS-Management) Service via GPO The Windows Remote Management (WS-Management) service will need to be started on all the systems that will forward events.Note that they do not need to be listening on HTTP or HTTPS – the only system that needs that needs to be listening and have firewall rules configured is the WEF server.This way, you’ll won’t be shipping more than necessary to the central collector.We recommend that you start with the excellent @Swift On Security configuration file that can be found at their Github page.If you’re using a new system, you probably will not have to worry about it.If during setup you are having issues and need to check SPN registration, you can do so with: Create a Test Subscription on Collector server Create a domain security group for the endpoints that you wish to monitor and place the target systems in the group.WEF has been around for quite some time, but many people do not realize that log consolidation capability is built into Windows and does not use an agent on the endpoint.
Windows Server 2012 was used on the server-side for all of the lab systems and there was a mix of Windows 10 Enterprise and Pro and Windows 7 Pro for workstations.
You will likely be prompted to start an auto-configure the Windows Collector service. Right-click on Subscriptions and select “Create Subscription”.