# WELI via NXLog This article is meant as a companion to the main [Windows Event Log Ingestion (WELI) article](/configuration/coverage/network-identities-weli/windows-event-log-ingestion-weli.md) and gives configuration advice for using WELI with an NXLog forwarding agent on Windows domain controller(s). Windows event log ingestion allows for Vectra to ingest Microsoft Windows security event logs to drive Privileged Access Analytics (PAA) detections. This feature can be used to complement the coverage from network traffic and will also provide Host-ID information for IP to Host mappings observed in the event logs. Vectra ingests two Windows security event id’s: 4768 (Ticket Granting Ticket) and 4769 (Ticket Granting Service). Further, only successful events are ingested. Any other windows security event IDs sent to the Vectra Brain will be discarded. Make sure that Security Audit Logging is enabled on every Domain Controller. [Follow Microsoft documentation.](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings) Both events are under Account Logon:\ Event 4768 - Audit Kerberos Authentication Service\ Event 4769 - Audit Kerberos Service Ticket Operations With the option for receiving XML over TCP, Vectra supports different sources to send windows event logs in XML format to the Brain. One such system is the NXLog agent. This article describes the steps required to set up Windows event log ingestion using NXLog. Enabling Windows logs ingestion in the Vectra UI * To configure WELI navigate in your Vectra UI to *Configuration → COVERAGE → Data Sources.* From there select *Network → Network Identities* and then edit the **Windows Event Log Ingestion** settings*.* * Select ‘Raw TCP’ from the ‘Type’ dropdown * Enter the IP address or Domain name of the domain controller sending the logs. Add more if there are more than 1 * Click the save button ![](/files/XH0o3HenPny877r6ouvF) Enabling forwarding on NXLog: * Install NXLog on the domain controllers. NxLog community edition can be found here: * Download the attached ‘nxlog.conf’ file. Modify the ‘Host’ under the ‘\’ section with the IP address of the Brain. * Open Services and start NXLog (or restart if NXLog has already been started). As security events are logged, they will be forwarded over into the Vectra Brain and processed for detections and host ID. !! Note that service names are not reported in Windows event logs, instead, unique security identifiers (SID) are reported which subsequently map to a unique service. SID values will be reported as the service in Vectra metadata reported to Recall and Stream and in Privilege Access Anomaly Detections reported in Detect. Analysts can look to leverage tools like PowerShell's PsGetSid to preform look-ups where necessary. ### Attachments {% file src="/files/Kwusknaw2BGTrvsILdlG" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vectra.ai/configuration/coverage/network-identities-weli/weli-via-nxlog.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.