How does Windows Event forwarding work with non domain computers? (certificates)

In reasearching this question I've looked at the following documents and none of them describe the options or flexibility of the event collector service.

• Microsoft's Event Collector Service on Technet (too procedural, I'm just looking for how it works)
• Microsoft/ MSDN Source initiated Subscription (again not an overview of how it works)
• This configuration guide by a 3rd party (omits non-domain computers)

The scenario I'm trying to address is

• Many non-domain computers need to send events to a central server for analysis and reporting
• The preferred transport is HTTP or HTTPS
• The service needs to authenticate before sending with either a username/password or a certificate
• The server must allow for up to 1,000 usernames or certificates to control who can forward events. The server must be able to determine who sent the event.
• Users can't "fake" an event for another user co-located on the same aggregate server

I suppose I can use fiddler to figure out how the server actually works, and write my own HTTP responder to handle these responses (and use my app instead of WinRM to receive the data), but handling non-domain connected machines is not documented clearly.

Could anyone help me understand how non-domain scenarios work, what the certificate should look like (EKU, etc), and ideally what is required to use my own code in place of the default WinRM

Solution 1:

The Web Services Management Protocol Extensions for Windows Vista protocol documentation is what you're looking for if you really want to use your own code in place of WinRM. It looks like a non-trivial protocol to implement.

Solution 2:

i'm also in a similar situation, i found this msdn page that talks about setting up collectors in non domain situations

https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx