Skip to content

WEC configuration

Input specification: input:WEC: 

listen:  # Where to expose the server, "5985" for HTTP with Kerberos authentication or "5986 ssl" for HTTPS certificate authentication
output:  # Which output to send the incoming events to

queries:  # The Windows Event queries separated by new lines, which determine which Windows Events should be loaded in subscriptions
read_existing_events:  # (optional) Notifies Windows machines if they should send existing events (true/false, default: true)

last_value_storage:  # Persistent storage for the current last value (default: ./var/last_value_storage)
connection_retries:  # (optional) How many retries in a row is acceptable from Windows machines (default: 60)
connection_retries_wait:  # (optional) How long in seconds to wait for connection retry (default: 10.0)
heartbeat:  # (optional) How often in seconds the heart beat should be called upon subscriptions (default: 60)

backlog:  # (optional) Specify the number of pending connections the queue will hold (default: 128)
servertokens:  # (optional) Controls whether 'Server' response header field is included ('full') or faked 'prod' (default: full)
cors: # (optional) Specify CORS attributes (default: none)

cert:  # Specify path to the WEC server certificate
key:  # Specify path to the WEC server private key 
issuer_thumbprints:  # Specify issuer (CA) certificate SHA1 thumbprints separated by space (f. e. d6986fef2104f21ab0c7ccb279217abe29c0808a)
password:  # (optional) Specify a private key file password (default: none)
cafile:  # (optional) Specify a file to verify the peer (default: none)
capath:  # (optional) Specify a path to verify the peer (default: none)
ciphers:  # (optional) Specify custom SSL ciphers (default: none)
dh_params:  # (optional) Diffie–Hellman (D-H) key exchange (TLS) parameters (default: none)
verify_mode:  # (optional) Empty or one of CERT_NONE, CERT_OPTIONAL or CERT_REQUIRED

Queries

The queries setting with Windows Event queries may look as follows (query name followed by its definition):

input:WEC:WECInput:
  ...
  queries:
    Application: "*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]"
    System: "*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]"
    Security: "*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]"
    Setup: "*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]"

The queries can be specified for every Window Event log type, including:

  • Application for application logs
  • System for system logs
  • Security for security logs
  • Setup for logs related to the installations or updates

The queries can be limited for certain source IP addresses or machine IDs using YAML list of the identificators at the end of the query. The machine ID is unique to each Windows machine and it is based on the domain hostname.

  queries:
    System:
      "*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]"

    Security:
      "*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]"
    ...
    Application:
      "*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]":
        - 192.168.111.128
        - 192.168.111.128
        - "APP.example.com"
    ...

In this way, only Windows machines with IPs 192.168.111.128, 192.168.111.128 and with machine ID APP.example.com will send application logs (their subscription will contain the application query).