The WiNC best practices guide

NOTE: References within this document where taken from the ArcSight Protect 724 Site from an online document (The WiNC best practices guide: Q&A, resources, tips and more)

General

• Overview • WUC vs. WiNC • WinC advantages over WUC • WiNC limitations • Related technologies • Additional resources

Deployment

• Can WiNC run with or on X? If not, why? • What ports are used by WiNC? • Can WiNC use Windows Event Forwarding? • Configuring the Windows server to be monitored by WiNC • Testing WiNC

o Generating events • Should I install WiNC on the domain controller? • Does Windows Event Forwarding (WEF) provide caching capabilities? • Can I throttle the bandwidth consumed by WinC? (TBD)

Sizing and performance

• EPS support • Number of hosts per connector? Do I need to balance EPS between sources?

Which events and what information are collected?

• Supported Windows log types • Is windows archived log supported? • IPv6 events? • WiNC and OS Versions information • Does WINC offer support for event in local languages / locales?

Customizing event collection

• Setting filters for WinC • Creating custom parsers • I have created custom parser for WUC, will these work as-is for WINC?

Troubleshooting

• You get the error message "WiNC: Error[1]: [Active Directory Base DN is empty]"

Advanced and Internals

• WinC internals: how does it work? • Which windows event API is ArcSight using? • Does WINC use the same JCIFS tool as WUC to get events from Windows? • Does Device Status (DSM) content work with the WiNC?

General

Overview

"Microsoft Windows Event Log - Native" or WiNC for short, is a new HPE ArcSight SmartConnector for collecting events from Microsoft Windows systems. It utilizes the Windows Eventing framework introduced with Windows 2008 to provide more flexible and scalable Windows collections capabilities to ArcSight.

WUC vs. WiNC

• WUC ("Windows Unified Connector" or "SmartConnector for Microsoft Windows Event Log - Unified") is ArcSight's legacy Windows collection SmartConnector. It is a portable connector that can be installed on both Windows and Unix systems. WUC achieves this by using a Java implementation of the Windows logging technology (JCIFS) and is therefore limited to its technical capabilities.

• WINC ("Microsoft Native Connector" or "SmartConnector for Microsoft Windows Event Log - Native") is ArcSight's new Windows collection SmartConnector. It uses native Microsoft technology, has broader capabilities but installs only on Windows systems.

WinC advantages over WUC

• Scalability – should be able to scale better than the WUC:

o Use of push vs. pull - Since unlike WUC it does not use round robin), WiNC does not “hung up” on a device slow to respond or not responding and therefore:

▪ No need to balance event sources.

▪ No penalty for long latency between sources and connector.

o Pre-filtering on the sending server conserves bandwidth and connector performance. For example, if you are interested only in logon failures (event id 4625), you don't need to get any other event to the connector:

• IPv6 stack – the WiNC will be able to fully run on an IPv6 stack.

• SMBv2 and SMBv3 support - WUC is limited to SMBv1.

• Easier configuration:

o Configuration is easier with less screens and configuration options. This one screen includes all the configuration required in a typical implementation, including use of WEF:

o No need to worry about the OS version of the event source system.

• Forwarded Events – the WUC could only collect from HardwareEvents, in addition to Security/Application/System. We now can collect from ForwardedEvents, which is the default when you setup a WEF Subscription.

• Custom event logs –

o Unlike WUC, WiNC can read events in any Windows log including logs utilizing "nested" event format. Such logs include for example AppLocker events (note that for WUC there is a workaround that utilizes WEF).

o New flex framework makes it easier to create custom parsers

• Pre-filtering – pushes standard Windows event filters (copy/paste from the event viewer). This is both simpler than WUC and saves bandwidth and connector resources as the filtering is done on the sending server. This is available in addition to standard connector filtering.

WiNC limitations

• Only runs on Windows, so can’t be run on ArcMC, Connector Appliance, or Linux/Unix.

• No support for Windows 2003.

• 64-bit OS only

Related technologies

Both WUC and WiNC can use Microsoft Event Forwarding (WEF), a Microsoft technology for forwarding to a

central collection. You can read about it more here. WiNC (and WUC) can use WEF but do not require it.

Additional resources

• WiNC documentation.

• Protect conference presentation:

o Winning on Windows with a WiNC and a smile - a good primer structured around use cases in which WiNC is helpful compared to WUC (Protect724 copy).

• Forwarding specific:

o Using Windows Event Forwarding with Windows Native and Unified SmartConnectors (Protect 2015 presentation on Protect724)

Deployment

Can WiNC run with or on X? If not, why?

What Supported? Why?

On ArcMC/ConApp No

ArcMC and ConApp is Linux based system and does not support the native windows technologies used with WiNC.

Managed by ArcMC No This is planned for an upcoming ArcMC release (as of Dec 2015).

Collecting from Windows 2003 No

Windows 2003 event collection is not supported as it does not support Windows Eventing, the technology used by WiNC, introduced with Windows Vista/2008. Note that the end-of-support date by Microsoft for Windows 2003 is July 14, 2015 for Windows 2003.

Collecting from Windows 2003 by forwarding to Windows 2008/2012 ?

.Net version for installing 4.5 WiNC is sensitive to .Net versions and strictly enforces versions.

Running on Windows 7 No*

(*) WINC does work on Windows 7, if you have v4.5 of .net installed. WINC is NOT supported on window 7.

FIPs No The FIPs limitation is with Windows platform.

IPv6 hosts and events Yes

Use Windows Event Forwarding Yes

Upgrading from WUC No*

(*) Automated upgrading from WUC to WINC is not supported. You can manually export the host information from WUC and reuse the host information for WINC installation to make it easier.

What ports are used by WiNC?

Source Destination Port Notes

WinC host / winc-agent.exe

WinC host / Java.exe TCP/61616

Port 61616 is used for Message Queue service to communicate between the standard connector code of WinC and its agent code in C#, winc-agent. The port can be configured if needed, for example when more than one WinC is installed on the same server, the port number should be modified by adding mq.server.listener.port to agent.properties. By default, this is set to 61616 in agent.default.properties. Copy the value to

agent.properties and change the port number.

WinC host / winc-agent.exe

Server to collect events from TCP/135

Server to collect events from

WinC host / winc-agent.exe

Vary. Default TCP/49153

WinC and the server to collect events from negotiate the port to use:

• On Windows Vista and 2008+, the default dynamic port range is 49152-65535.

• On older Windows systems, the default dynamic port range is 1025-5000.

• We have seen other reports as well

Can WiNC use Windows Event Forwarding?

Yes. You can use either of:

• WEF only more Collect all logs to a central log consolidation server using WEF and use WiNC to collect only from this server

• Mixed mode: use WinC to collect events from a log consolidation server or servers as well as directly from other Windows servers.

In addition, WiNC can be used without WEF at all.

Using WEF sometimes eliminates security and authorization challenges as WiNC needs permissions only in the central log management server.

Configuring the Windows server to be monitored by WiNC

What user should be used on the Windows server?

• If the collected host is a DC, just follow the WiNC documentation: create a user and add it in the built in Event Log Readers group.

• If the collected host is a member workstation, you also need to add the domain user to the local Event Log Readers group.

This can be done manually on the collected computer:

Control Panel > User Accounts > Manage User Accounts > Add the domain user with Event Log Readers level access.

Or this can be done by GPO from the DC:

Control Panel > Administrative Tools > Group Policy Management > Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups > Add the Event Log Readers group > Add the domain user as member.

You can execute gpudpate /force from the collected host to directly apply this new policy.

Testing WiNC

If you want to do a test probe of a WINC target, you can do this:

1. Install the WiNC connector

2. Open a command prompt (probably use an administrative command prompt to avoid issues)

3. CD to winc-agent.exe directory (assuming d:\arcsight\connectors\WINC0X\current\bin\agent\win64)

4. Run "winc-agent.exe standalone -bookmark false -h mytargethostname.fqdn -l Security -u mysvcuser -p svcuserPW -n 1000 -f flatjson"

This will collect 1000 events from the Security log on "mytargethostname.fqdn". Change the host name, log file, username and password using the -h, -l, -u and -p parameters respectively. If you don't specify -n it will keep reading logs eternally.

The events will then be stored in "d:\arcsight\connectors\WINC0X\current\bin\agent\win64\logs". The files will rotate and be named (by default) Events_Month-dd-hh-mm-ss.json. The file may not get flushed out until you CTRL+C no the command executed above.

Generating events

Use eventcreate to force event generation. For example:

• EVENTCREATE /T ERROR /ID 1000 /L APPLICATION /D "My custom error event for the application log“

• EVENTCREATE /T ERROR /ID 1000 /L SYSTEM /D "My custom error event for the system log"

Should I install WiNC on the domain controller?

While it would work, it is never recommended. Its not great security practice and it adds an overhead. One option is to use WEF to forward the events to a single Windows member server dedicated to event collection and install WiNC on this server.

Does Windows Event Forwarding (WEF) provide caching capabilities?

i.e. If we have devices like laptops that are not always connected to the corporate network (physical or VPN), will it cache the events and send them once connected?

Yes, the testing I've done shows this does work with Source Initiated subscriptions. I haven't been able to find too many details from Microsoft on how it works and if it can be customized. Here is an article I found with some of the configuration options.

Sizing and performance

EPS support

From the field:

• Looks like the general assumption (max 1500 EPS in, max 3500 EPS out) works as well for the WinC connector.

• Just consolidated about 15 connectors down to 4 in one network, and around 9 to 4 in another with no event time drift - thanks to pre-filtering!

Number of hosts per connector? Do I need to balance EPS between sources?

A fundamental feature with WinC is that it does not poll but rather the sources push to it. Therefore:

• There is no limit to the number of hosts at long as the total EPS is OK.

• As a best practice, one wouldn’t add thousands of hosts to the agent host list but rather configure a source initiated event subscription for all the hosts and let the OS act as the Event Collector. Then all you need is to pull the events from localhost.

• Unlike WUC there is no round-robin anymore and there is no need to balance EPS between sources. Sources with very difference EPS rate can work well with the same WinC connector.

From the field: I’m running a WinC instance on a barely performing host, requesting feeds from 17 DCs with a sustained rate of 700 EPS (blacklist filtered). Still looking good. (Active Directory disabled, Wrapper modified to use 1GB RAM)

Which events and what information are collected?

Supported Windows log types

WINC supports collection from all log types both administrative and operational logs. WINC's WEF support are NOT limited to hardware event log. This is key differentiation compared to WUC which only support administrative logs. In addition, WINC supports operational log where WUC does not.

The SmartConnector supports parsing for the following logs:

• Security

• System

• Application (event header)

• Forwarded Events (for forwarded security, system, and application (event Header) events

Parser support for the following application and system events is provided (as of WinC initial release):

• Microsoft Active Directory

• Microsoft Exchange Access Auditing

• Microsoft Forefront Protection 2010

• Microsoft Network Policy Server

• Microsoft Remote Access

• Microsoft Service Control Manager

• Microsoft SQL Server Audit

• Microsoft WINS Server

• Oracle Audit

• Symantec Mail Security for Exchange

Is windows archived log supported?

Windows’s archived log is not supported in either WUC or WINC.

IPv6 events?

WINC will support collection from IPv6 hosts and collecting information from

WiNC and OS Versions information

• OS version is needed for the OS version to be populated in parsed security events It can be specified in source host file (Check "Use file for OS version" when configuring the connector and upload it) or can be populated through AD browsing.

• However WiNC, unlike WUC, does not use a different parser per OS version. So if one doesn't care about OS version being populated in the security events, there is no need to specify the OS version and the steps above are optional.

Does WINC offer support for event in local languages / locales?

• Events with international date formats are supported.

• Events in local languages work if in Latin or one of the supported languages.

Customizing event collection

Setting filters for WinC

Examples:

*[System[(EventID=800 or EventID=900 or EventID=1000)]] -events with ids of 800, 900, or 1000 *[System[Provider[@Name='EventCreate']]] -events from eventcreate *[System[Provider[@Name='EventCreate'] and (Level=2)]] -error events from eventcreate *[System[(Level=2 or Level=4 or Level=0)]] -error or informational events *[System[(Computer='win7.example.com')]] -events from a particular computer *[System[(Computer='win7.example.com' or Computer='windows.example.com')]] -events from particular computers -comma separated: win7.example.com, windows.example.com *[System[Security[@UserID='S-1-5-21-440319974-3384363281-3865861254-500']]] -events from a particular user

-microsoft does not allow multiple users, this has to be a particular user

• Using Windows Event Viewer to learn filter syntax

Creating custom parsers

I have created custom parser for WUC, will these work as-is for WINC?

The event data formats are different between WINC (leverages native windows) and WUC (leverages JCIF), therefore, a modified version of the custom parser will be required for WINC. The changes required should be straight forward. Refer to the WINC Configuration guide, section create and deploy custom parsers.

Troubleshooting

You get the error message "WiNC: Error[1]: [Active Directory Base DN is empty]"

Remember to use fully qualified domain names (FQDM) such as "example.com" rather than just "example".

Advanced and Internals

WinC internals: how does it work?

• The WiNC SmartConnector java process (based on the standard connector framework) starts and runs the process "winc-agent.exe" (the agent), a Windows only executable that uses Windows API.

• The SmartConnector java process interacts with the agent on port TCP/61616 (default, changeable)

• The agent connects to the hosts (Windows systems to collects logs from) using port TCP/135 and requests the logs with the configured filter via Remote Procedure Calls (DCE RPC).

• The agent and the host are negotiating the connection settings for the data stream (TCP/49153 by default, since this is the designated port for the Windows event stream)

• The agent opens up the the designated port (TCP/49153 by default) for listening and gets the event stream in return. This process is somewhat similar to FTP.

Which windows event API is ArcSight using?

ArcSight WINC uses the native windows eventing API. You can find more details on Windows Eventing here: Windows Eventing 6.0 - article in Windows IT Pro

Does WINC use the same JCIFS tool as WUC to get events from Windows?

No, WINC does not use JCIFS interface. WINC uses Windows Eventing API to retrieve events with a build-in C# application.

Does Device Status (DSM) content work with the WiNC?

Yes

Wecutil

Applies To: Windows Server 2008, Windows Server 2012, Windows 8

Enables you to create and manage subscriptions to events that are forwarded from remote computers, which support WS-Management protocol. For examples of how to use this command, see Examples.

Syntax

wecutil [{es | enum-subscription}] [{gs | get-subscription} <Subid> [/f:<Format>] [/uni:<Unicode>]] [{gr | get-subscriptionruntimestatus} <Subid> [<Eventsource> …]] [{ss | set-subscription} [<Subid> [/e:[<Subenabled>]] [/esa:<Address>] [/ese:[<Srcenabled>]] [/aes] [/res] [/un:<Username>] [/up:<Password>] [/d:<Desc>] [/uri:<Uri>] [/cm:<Configmode>] [/ex:<Expires>] [/q:<Query>] [/dia:<Dialect>] [/tn:<Transportname>] [/tp:<Transportport>] [/dm:<Deliverymode>] [/dmi:<Deliverymax>] [/dmlt:<Deliverytime>] [/hi:<Heartbeat>] [/cf:<Content>] [/l:<Locale>] [/ree:[<Readexist>]] [/lf:<Logfile>] [/pn:<Publishername>] [/essp:<Enableport>] [/hn:<Hostname>] [/ct:<Type>]] [/c:<Configfile> [/cun:<Username> /cup:<Password>]]] [{cs | create-subscription} <Configfile> [/cun:<Username> /cup:<Password>]] [{ds | delete-subscription} <Subid>] [{rs | retry-subscription} <Subid> [<Eventsource>…]] [{qc | quick-config} [/q:[<Quiet>]]].

Parameters

Parameter Description

{es | enum-subscription} Displays the names of all remote event subscriptions that exist.

{gs | get-subscription} <Subid> [/f:<Format>] [/uni:<Unicode>]

Displays remote subscription configuration information. <Subid> is a string that uniquely identifies a subscription. <Subid> is the same as the string that was specified in the <SubscriptionId> tag of the XML configuration file, which was used to create the subscription.

{gr | get-subscriptionruntimestatus} <Subid> [<Eventsource> …]

Displays the runtime status of a subscription. <Subid> is a string that uniquely identifies a subscription. <Subid> is the same as the string that was specified in the <SubscriptionId> tag of the XML configuration file, which was used to create the subscription. <Eventsource> is a string that identifies a computer that serves as a source of events. <Eventsource> should be a fully qualified domain name, a NetBIOS name, or an IP address.

{ss | set-subscription} <Subid> [/e:[<Subenabled>]] [/esa:<Address>] [/ese:[<Srcenabled>]] [/aes] [/res] [/un:<Username>] [/up:<Password>] [/d:<Desc>] [/uri:<Uri>] [/cm:<Configmode>] [/ex:<Expires>] [/q:<Query>] [/dia:<Dialect>] [/tn:<Transportname>] [/tp:<Transportport>] [/dm:<Deliverymode>] [/dmi:<Deliverymax>] [/dmlt:<Deliverytime>] [/hi:<Heartbeat>] [/cf:<Content>] [/l:<Locale>] [/ree:[<Readexist>]] [/lf:<Logfile>] [/pn:<Publishername>] [/essp:<Enableport>] [/hn:<Hostname>] [/ct:<Type>]

or

{ss | set-subscription /c:<Configfile> [/cun:<Comusername> /cup:<Compassword>]

Changes the subscription configuration. You can specify the subscription ID and the appropriate options to change subscription parameters, or you can specify an XML configuration file to change subscription parameters.

{cs | create-subscription} <Configfile> [/cun:<Username> Creates a remote subscription. <Configfile> specifies the path to

/cup:<Password>] the XML file that contains the subscription configuration. The path can be absolute or relative to the current directory.

{ds | delete-subscription} <Subid>

Deletes a subscription and unsubscribes from all event sources that deliver events into the event log for the subscription. Any events already received and logged are not deleted. <Subid> is a string that uniquely identifies a subscription. <Subid> is the same as the string that was specified in the <SubscriptionId> tag of the XML configuration file, which was used to create the subscription.

{rs | retry-subscription} <Subid> [<Eventsource>…]

Retries to establish a connection and send a remote subscription request to an inactive subscription. Attempts to reactivate all event sources or specified event sources. Disabled sources are not retried. <Subid> is a string that uniquely identifies a subscription. <Subid> is the same as the string that was specified in the <SubscriptionId> tag of the XML configuration file, which was used to create the subscription. <Eventsource> is a string that identifies a computer that serves as a source of events. <Eventsource> should be a fully qualified domain name, a NetBIOS name, or an IP address.

{qc | quick-config} [/q:[<Quiet>]]

Configures the Windows Event Collector service to ensure a subscription can be created and sustained through reboots. This includes the following steps:

1. Enable the ForwardedEvents channel if it is disabled. 2. Set the Windows Event Collector service to delay start. 3. Start the Windows Event Collector service if it is not

running.

Options

Option Description

/f:<Format> Specifies the format of the information that is displayed. <Format> can be XML or Terse. If <Format> is XML, the output is displayed in XML format. If <Format> is Terse, the output is displayed in name-value pairs. The default is Terse.

/c:<Configfile> Specifies the path to the XML file that contains a subscription configuration. The path can be absolute or relative to the current directory. This option can only be used with the /cun and /cup options and is mutually exclusive with all other options.

/e:[<Subenabled>] Enables or disables a subscription. <Subenabled> can be true or false. The default value of this option is true.

/esa:<Address> Specifies the address of an event source. <Address> is a string that contains a fully qualified domain name, a NetBIOS name, or an IP address, which identifies a computer that serves as a source of events. This option should be used with the /ese, /aes, /res, or /un and /up options.

/ese:[<Srcenabled>] Enables or disables an event source. <Srcenabled> can be true or false. This option is allowed only if the /esa option is specified. The default value of this option is true.

/aes Adds the event source that is specified by the /esa option if it is not already a part of the subscription. If the address specified by the /esa option is already a part of the subscription, an error is reported. This option is only allowed if the /esa option is specified.

/res Removes the event source that is specified by the /esa option if it is already a part of the subscription. If the address specified by the /esa option is not a part of the subscription, an error is reported. This option is only allowed if /esa option is specified.

/un:<Username> Specifies the user credential to use with the event source specified by the /esa option. This option is only allowed

if the /esa option is specified.

/up:<Password> Specifies the password that corresponds to the user credential. This option is only allowed if the /un option is specified.

/d:<Desc> Provides a description for the subscription.

/uri:<Uri> Specifies the type of the events that are consumed by the subscription. <Uri> contains a URI string that is combined with the address of the event source computer to uniquely identify the source of the events. The URI string is used for all event source addresses in the subscription.

/cm:<Configmode>

Sets the configuration mode. <Configmode> can be one of the following strings: Normal, Custom, MinLatency or MinBandwidth. The Normal, MinLatency, and MinBandwidth modes set delivery mode, delivery max items, heartbeat interval, and delivery max latency time. The /dm, /dmi, /hi or /dmlt options may only be specified if the configuration mode is set to Custom.

/ex:<Expires> Sets the time when the subscription expires. <Expires> should be defined in standard XML or ISO8601 date-time format: yyyy-MM-ddThh:mm:ss[.sss][Z], where T is the time separator and Z indicates UTC time.

/q:<Query> Specifies the query string for the subscription. The format of <Query> may be different for different URI values and applies to all sources in the subscription.

/dia:<Dialect> Defines the dialect that the query string will use.

/tn:<Transportname> Specifies the name of the transport that is used to connect to a remote event source.

/tp:<Transportport> Sets the port number that is used by the transport when connecting to a remote event source.

/dm:<Deliverymode> Specifies the delivery mode. <Deliverymode> can be either pull or push. This option is only valid if the /cm option is set to Custom.

/dmi:<Deliverymax> Sets the maximum number of items for batched delivery. This option is only valid if /cm is set to Custom.

/dmlt:<Deliverytime> Sets the maximum latency in delivering a batch of events. <Deliverytime> is the number of milliseconds. This option is only valid if /cm is set to Custom.

/hi:<Heartbeat> Defines the heartbeat interval. <Heartbeat> is the number of milliseconds. This option is only valid if /cm is set to Custom.

/cf:<Content> Specifies the format of the events that are returned. <Content> can be Events or RenderedText. When the value is RenderedText, the events are returned with the localized strings (such as event description) attached to the event. The default value is RenderedText.

/l:<Locale> Specifies the locale for delivery of the localized strings in RenderedText format. <Locale> is a language and country/region identifier, for example, "EN-us". This option is only valid if the /cf option is set to RenderedText.

/ree:[<Readexist>]

Identifies the events that will be delivered for the subscription. <Readexist> can true or false. When the <Readexist> is true, all existing events are read from the subscription event sources. When the <Readexist> is false, only future (arriving) events are delivered. The default value is true for a /ree option without a value. If no /ree option is specified, the default value is false.

/lf:<Logfile> Specifies the local event log that is used to store events received from the event sources.

/pn:<Publishername> Specifies the publisher name. It must be a publisher that owns or imports the log specified by the /lf option.

/essp:<Enableport>

Specifies that the port number must be appended to the service principal name of the remote service. <Enableport> can be true or false. The port number is appended when <Enableport> is true. When the port number is appended, some configuration may be required to prevent the access to event sources from being denied.

/hn:<Hostname> Specifies the DNS name of the local computer. This name is used by remote event source to push back events and must be used only for a push subscription.

/ct:<Type> Sets the credential type for the remote source access. <Type> should be one of the following values: default, negotiate, digest, basic or localmachine. The default value is default.

/cun:<Comusername>

Sets the shared user credential to be used for event sources that do not have their own user credentials. If this option is specified with the /c option, UserName and UserPassword settings for individual event sources from the configuration file are ignored. If you want to use a different credential for a specific event source, you should override this value by specifying the /un and /up options for a specific event source on the command line of another ss command.

/cup:<Compassword> Sets the user password for the shared user credential. When <Compassword> is set to * (asterisk), the password is

read from the console. This option is only valid when the /cun option is specified.

/q:[<Quiet>] Specifies whether the configuration procedure will prompt for confirmation. <Quiet> can be true or false. If <Quiet> is true, the configuration procedure will not prompt for confirmation. The default value of this option is false.

Remarks

Important

If you receive the message, “The RPC server is unavailable” when you try to run wecutil, you need to start the Windows Event Collector service (wecsvc). To start wecsvc, at an elevated command prompt type net start wecsvc.

• The following example shows the contents of a configuration file:

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription"> <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri> <!-- Use Normal (default), Custom, MinLatency, MinBandwidth --> <ConfigurationMode>Normal</ConfigurationMode> <Description>Forward Sample Subscription</Description> <SubscriptionId>SampleSubscription</SubscriptionId> <Query><![CDATA[ <QueryList> <Query Path="Application"> <Select>*</Select> </Query> </QueryList> ]]></Query> <EventSources> <EventSource Enabled="true"> <Address>mySource.myDomain.com</Address> <UserName>myUserName</UserName> <Password>*</Password> </EventSource> </EventSources> <CredentialsType>Default</CredentialsType> <Locale Language="EN-US"></Locale> </Subscription>

Examples

Output configuration information for a subscription named sub1:

wecutil gs sub1

Example output:

EventSource[0]: Address: localhost Enabled: true Description: Subscription 1 Uri: wsman:microsoft/logrecord/sel DeliveryMode: pull DeliveryMaxSize: 16000 DeliveryMaxItems: 15 DeliveryMaxLatencyTime: 1000 HeartbeatInterval: 10000 Locale: ContentFormat: renderedtext LogFile: HardwareEvents

Display the runtime status of a subscription named sub1:

wecutil gr sub1

Update the subscription configuration named sub1 from a new XML file called WsSelRg2.xml:

wecutil ss sub1 /c:%Windir%\system32\WsSelRg2.xml

Update the subscription configuration named sub2 with multiple parameters:

wecutil ss sub2 /esa:myComputer /ese /un:uname /up:* /cm:Normal

Create a subscription to forward events from a Windows Vista Application event log of a remote computer at mySource.myDomain.com to the ForwardedEvents log (see Remarks for an example of a configuration file):

wecutil cs subscription.xml

Delete a subscription named sub1:

wecutil ds sub1