The built in functionality of Windows Event Forwarding is pretty powerful, if a little awkward to set up. I’ll be putting together a series of posts walking through my own setup and hopefully it will save someone the missteps I made initially.
WEF allows for a machine to forward its logs to one or more remote hosts, for all or a subset of all events from various sources. This allows you be able to review and alert on logs in a single location or forward from here to your SIEM (Graylog in our case). Pulling logs from workstations allows us to see additional events that will never hit the domain controllers in a reasonable way (locked sessions, local logins, etc.).
The subscription model is somewhat obscure to setup initially, but once it’s set up allows pretty easy modification of the subscriptions allowing you to change them on the fly from the subscription source, adding/removing event IDs, levels, sources, etc. It also allows for custom XML for those very specific variations that the UI doesn’t allow. More on that to come!
The best place to begin is with Jessica Payne’s great intro article.