I configured Windows Event Forwarding (WEF) in my LAB domain and I'm setting up subscriptions. My subscription is configured on my DC and is source-initiated, the collector is DC01.acme.com and sources are WIN7.acme.com and WIN10.acme.com. Suppose I have the following query filter configured for my subscription:
This means that I only want Security event logs with ID 4776 forwarded to DC01.acme.com, this works like a charm, no issues here. My only question is: where is the filter really applied, in the DC (collector) or in the workstations (sources)? In my mind there are two possible scenarios:
- Source forwards all event logs, those logs arrive at the collector
and then the collector applies the filter - Source applies the filter locally and only forward the intended event logs to the collector
Best Answer
To answer your question, the filtering is applied on the source (like servers, workstations, ...) and not on the collector. This means that if you specify a single event ID, your collector server will just collect the specified event ID (option 2 based on your question).