We have updated our Terms of Service, Code of Conduct, and Addendum.

Is setting up Cribl WEC/WEF the same that is used in Windows Events routed to a WEC server?

Options

Hi all, Is the method that is setup to use Cribl WEC/WEF that same approximate setup that is used when Windows Events are routed to a WEC server? Going to approach my windows admins about potentially changing how we do this, and want to make sure that I have my facts straight.

Answers

  • Tony Reinke
    Options

    We just did a User Group where it was on Windows Event Collector: https://youtu.be/_glQmFD9ync

  • Franky Laarits
    Franky Laarits Posts: 59 ✭✭
    Options

    i'll check that out. thanks

  • Anson VanDoren
    Options

    Today we only support client cert (i.e., mTLS) auth (Kerberos coming soon, though). Having said that, the setup using Cribl WEF source is roughly the same as setting up "actual" WEC/WEF using client certificates. » Get appropriate client certs onto all sending clients » Configure the WEF source in Stream (including a CA cert chain that matches what the client certs are going to be using) » Add/change your EventForwarding GPO to point to your Stream worker as the Server instead of the WEC boxes

  • Anson VanDoren
    Options

    https://docs.cribl.io/stream/usecase-wef-config/ is pretty comprehensive, and it all should look pretty familiar to someone who's gone through setting up "real WEC" previously