In the Snare WEC agent's web UI, in Audit Policy Configuration (Objectives Configuration in versions earlier than 5.5.0) there is a checkbox under the parameter Identify log sources to capture events from titled Windows Forwarded Events. This checkbox is only available in the Snare WEC agent. This checkbox must be checked to collect events from the Windows Forwarded Events custom event log, which is used to collect logs using the Microsoft event log subscription process and uses WinRM to poll the remote hosts to collect the event logs.
Basic Auditing:
Advanced Auditing:
Note
The agent will adjust the source host details to be the original hostname when it sends the syslog, so the destination server will understand that the logs are originally from another host and not the forwarded host. The host IP override settings in the Destination Configuration page will only apply to the host the SnareWEC agent is running on and the agent currently does not do any IP translations of the host details for the forwarded events.