We have updated our Terms of Service, Code of Conduct, and Addendum.

Is setting up Cribl WEC/WEF the same that is used in Windows Events routed to a WEC server?

Hi all, Is the method that is setup to use Cribl WEC/WEF that same approximate setup that is used when Windows Events are routed to a WEC server? Going to approach my windows admins about potentially changing how we do this, and want to make sure that I have my facts straight.


  • Tony Reinke
    Tony Reinke Posts: 4

    We just did a User Group where it was on Windows Event Collector: https://youtu.be/_glQmFD9ync

  • i'll check that out. thanks

  • Today we only support client cert (i.e., mTLS) auth (Kerberos coming soon, though). Having said that, the setup using Cribl WEF source is roughly the same as setting up "actual" WEC/WEF using client certificates. » Get appropriate client certs onto all sending clients » Configure the WEF source in Stream (including a CA cert chain that matches what the client certs are going to be using) » Add/change your EventForwarding GPO to point to your Stream worker as the Server instead of the WEC boxes

  • https://docs.cribl.io/stream/usecase-wef-config/ is pretty comprehensive, and it all should look pretty familiar to someone who's gone through setting up "real WEC" previously