Help with setting up Windows Event Forwarder

I worked with a Cribl sales engineer to try and get WEF working as a data source. Neither of us have been able to figure out what the issue is and I’m looking for help to determine what I’m missing.

I went through the WEF guide (Windows Event Forwarder | Cribl Docs) and everything appears to be connected correctly. Permissions for logs and certs are all set correctly on the endpoints, and we’re trying to get security logs pushed. In Cribl logs, I can see the endpoints connecting to Cribl but no data is being sent. Here is what I see in the Crible source logs:
d
2022-05-04T15:13:43.210
{time:“2022-05-04T15:13:43.210Z”,
cid:“w0”,
channel:“input:WEF”,
level:“debug”,
message:“closed tcp socket connection”
}
d
2022-05-04T15:13:43.150
{time:“2022-05-04T15:13:43.150Z”,
cid:“w0”,
channel:“input:WEF”,
level:“debug”,
message:“new tcp socket connection”
}
d
2022-05-04T15:12:45.298
{time:“2022-05-04T15:12:45.298Z”,
cid:“w0”,
channel:“input:WEF”,
level:“debug”,
message:“closed tcp socket connection”
}
d
2022-05-04T15:12:45.234
{time:“2022-05-04T15:12:45.234Z”,
cid:“w0”,
channel:“input:WEF”,
level:“debug”,
message:“new tcp socket connection”
}

The connect and close cycles repeat every 10~20 seconds. Our firewalls are showing that the connection is being closed by the client, and that no other connections are being blocked or intercepted. I’m pretty sure that I’m missing something on the endpoints but I have no idea what. I thought it might be that we’re not using a WEC but the sales engineer said that we should be able to push directly from the endpoints to Cribl Cloud.

Guy - you will probably want to talk to Cribl support for this issue. They should be able to help get you configured. - Working with Cribl Support | Cribl Docs