# WEC SOG

https://youtu.be/seuyYmgU95s?si=FKCfYHl25NTj4R1P

### CLIENT

open command prompt
    ```
    winrm qc
    y
    ```

computer > manage
    local users and groups > groups
        event log readers group
            click on it
                add
                    object type
                        unclick all, click computers
                            enter object name > (CLICK WHO YOU WANT AS THE COLLECTOR)
                            OK
                        OK
                OK
        CLOSE


### SERVER

start menu > event viewer
    subscriptions
        do you want windows event service to be running > yes
        right click on subscriptions > create subscription

```
subscription name: Wec Collection
description: collecting logs from clients
CHECK source computer initiated
    TEST
events to collect: 
    select events
        event level: critical, warning, error
        by log: application, security, system
        OK
    OK
```

        Look at forwarded events to see what is going to your SERVER