diff --git a/8 Tools/WEC/WEC-WEF-Symon_Guide.odt b/8 Tools/WEC/WEC-WEF-Symon_Guide.odt
new file mode 100644
index 0000000..772b576
Binary files /dev/null and b/8 Tools/WEC/WEC-WEF-Symon_Guide.odt differ
diff --git a/8 Tools/WEC/WEC_SOG.md b/8 Tools/WEC/WEC_SOG.md
new file mode 100644
index 0000000..729c699
--- /dev/null
+++ b/8 Tools/WEC/WEC_SOG.md	
@@ -0,0 +1,47 @@
+# WEC SOG
+
+https://youtu.be/seuyYmgU95s?si=FKCfYHl25NTj4R1P
+
+### CLIENT
+
+open command prompt
+    ```
+    winrm qc
+    y
+    ```
+
+computer > manage
+    local users and groups > groups
+        event log readers group
+            click on it
+                add
+                    object type
+                        unclick all, click computers
+                            enter object name > (CLICK WHO YOU WANT AS THE COLLECTOR)
+                            OK
+                        OK
+                OK
+        CLOSE
+
+
+### SERVER
+
+start menu > event viewer
+    subscriptions
+        do you want windows event service to be running > yes
+        right click on subscriptions > create subscription
+
+```
+subscription name: Wec Collection
+description: collecting logs from clients
+CHECK source computer initiated
+    TEST
+events to collect: 
+    select events
+        event level: critical, warning, error
+        by log: application, security, system
+        OK
+    OK
+```
+
+        Look at forwarded events to see what is going to your SERVER
\ No newline at end of file