Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
Does Microsoft support WEC,WEF send logs over http for NON domain machines?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 22%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sukhwant Singh Chauhan
0
Reputation points
Is it possible to configure WEC,WEF send logs over http for NON domain Machines?
We are in trying to configure WEC,WEF for few windows non domain machines to send logs to Microsoft sentinel? Would it be possible by using WEC,WEF to sendover http? or is there a workaround if we use https or ceritifcate endpoint should not require reboot?
Azure Arc
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Vinod Pittala 6,130 Reputation points Microsoft External Staff Moderator2025-07-17T13:20:13.72+00:00 Hello Sukhwant Singh Chauhan,
Windows Event Forwarding (WEF) is primarily designed for domain-joined environments. However, it is technically possible to configure WEF for non-domain machines, though it requires additional setup and infrastructure.
To enable this in a non-domain scenario, you’ll need to leverage Azure Arc. because sentinel can't pull the logs directly without this setup.
Once the Windows Event Collector (WEC) servers are deployed, you must connect them to Azure using Azure Arc. This connection allows Microsoft Sentinel to integrate with the WEC server.
Please note:
- The Microsoft Sentinel connector for Windows Forwarded Events (Preview) requires the Azure Monitor Agent (AMA).
- AMA is not supported on the legacy MMA agent, and its deployment requires Azure Arc for non-Azure machines.
- Once configured, the WEC server will forward events to a Log Analytics Workspace (LAW) monitored by Microsoft Sentinel, enabling full visibility into logs from machines outside of Azure.
Important: Microsoft Sentinel must be deployed and enabled before installing the AMA agent.
Below is the overview to achieve the goal:
Additionally, for a complete walkthrough, please refer to the following Microsoft Tech Community article, which outlines the entire process step-by-step:
Please let me know if you need any further assistance required.
If the comment helpful, please click upvote it.
Thanks
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 56.00000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Rahul Jorrigala 3,655 Reputation points Microsoft External Staff Moderator2025-07-18T01:26:05.13+00:00 Hello Sukhwant Singh Chauhan,
Just want to check if the above comment provided by @vinod pittala worked for you or else please let us know if any help, we are always here to help whenever you need us.
If the comment is helpful, please click "Upvote it"
Thankyou
-
Sukhwant Singh Chauhan 0 Reputation points
2025-07-18T04:02:43.82+00:00 Please clarify
- Would it be possible by using WEC, WEF to sendover http? Note Windows Machine is not domain join and it workgroup machines
- If we have use https or certificate is there a workaround that there should be no need to reboot endpoint which is sending logs?
- Once the Windows logs are received by Microsoft sentinel would it be written in Security event table directly?
- Is there a possibility that syslog logs received by AMA can written directly to Security event table directly in Microsoft sentinel?
- Most important does Microsoft support editing or mapping of Security event table in Microsoft sentinel?
-
Vinod Pittala 6,130 Reputation points Microsoft External Staff Moderator
2025-07-18T10:59:13.4333333+00:00 Hello Sukhwant Singh Chauhan,
Below is the clarification for your queries.
- Yes, WEF supports both HTTP and HTTPS protocols for log forwarding. However:
- HTTP can be used, but it's not secure and is not recommended for production, especially when forwarding sensitive logs.
- For non-domain joined (workgroup) machines, configuring WEF over HTTP is technically possible, but requires manual configuration of certificates and WinRM settings, and might pose security risks.
- There is no official Microsoft documentation that guarantees a reboot-free setup when configuring HTTPS and certificates for WEF on non-domain machines. However, some community responses suggest that if WinRM and certificates are pre-configured correctly, a reboot might not be necessary. This is not guaranteed and may depend on the OS version and certificate store behavior.
- No, not directly. Logs forwarded via WEC/WEF and ingested through AMA typically land in the WindowsEvent table, not the SecurityEvent table. You can filter and route specific event IDs using XPath queries in the Data Collection Rule (DCR) to control what gets ingested.
- No. Syslog logs collected via AMA are written to the Syslog or CommonSecurityLog tables, depending on the format (e.g., CEF). These logs do not go into the SecurityEvent table, which is reserved for Windows Security logs. There is no supported way to write syslog data directly into
SecurityEvent - No, Microsoft does not support editing or remapping the SecurityEvent table. It is a system table managed by Microsoft Sentinel and Azure Monitor. However, you can:
- Use Kusto queries to transform and visualize data.
- Create custom tables and use Logic Apps or Data Collection Rules to route and enrich data before ingestion.
If the comment helpful, please click Upvote it.
Thanks
- Yes, WEF supports both HTTP and HTTPS protocols for log forwarding. However:
-
Sukhwant Singh Chauhan 0 Reputation points
2025-07-18T12:53:47.4533333+00:00 - For non-domain joined (workgroup) machines, configuring WEF over HTTP is technically possible, but requires manual configuration of certificates and WinRM settings, and might pose security risks.
Referring to point number 1, above : -
a) Technically how configure WEC, WEF with http. Please share some reference document.
b) When you say it require certificate it means it will HTTPs, secure?
- Endpoint which will send events over WEC, WEF those events would be written directly to security event table?
3)No, Microsoft does not support editing or remapping the SecurityEvent table. It is a system table managed by Microsoft Sentinel and Azure Monitor. However, you can:
a) can logs received in syslog or CommonSecurityLog table be mapped to security event table with DCR? or Logic Apps is must?
-
Vinod Pittala 6,130 Reputation points Microsoft External Staff Moderator
2025-07-18T16:00:24.9333333+00:00 Hello Sukhwant Singh Chauhan,
This info has shared as per my knowledge, i couldn't find a document for this.
Technically how configure WEC, WEF with http. Please share some reference document.
For forwarding logs to Microsoft Sentinel, the recommended approach is to utilize a Data Collection Rule (DCR).
Overall, to achieve your goal, you have to leverage the azure arc service and follow the outlined steps.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Naveena Patlolla 4,805 Reputation points Microsoft External Staff Moderator2025-07-18T22:51:23.1833333+00:00 Hello Sukhwant Singh Chauhan,
Have you had an opportunity to review the above comment? If the comment helpful, please click Upvote it. -
Sukhwant Singh Chauhan 0 Reputation points
2025-07-19T05:08:53.6666667+00:00 Please do check with Microsoft product team to clarify so that customer doesn't land to issue that Microsoft doesn't support below approach
a) Technically how configure WEC, WEF with http. Please share some reference document.
b) Even if i follow below link it is also not clear at some places it's showing http and at some places it's showing https. https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/forward-on-premises-windows-security-event-logs-to-microsoft-sentinel/3040784
c) Based on your response i have understood that logs received in syslog or CommonSecurityLog table can be mapped using DCR to securityevent table.
d) In short please do get answer from Microsoft product team how configure WEC, WEF with http. without https and certificate for non-windows joined machine. If it's not support just say clearly "No" it will help customer to just plan using https and certificates.
-
Vinod Pittala 6,130 Reputation points Microsoft External Staff Moderator
2025-07-21T14:07:52.8133333+00:00 -
Sukhwant Singh Chauhan 0 Reputation points
2025-07-23T11:52:41.14+00:00 Hello Vinod
Please share update from product team it will help to update customer accordingly
Sign in to comment
Sign in to answer