Last Update: Sep 04, 2024 | Published: Mar 25, 2015
Event Log forwarding was introduced in Windows Server 2008, allowing system administrators to centralize server and client event logs, making it easier to monitor events without having to connect to individual servers. Forwarding uses the DMTF WS-Eventing standard, which is part of the open Web Services-Management (WS-Man) protocol built in to Windows Server as part of the Windows Management Framework (WMF).
In this article, I’ll show you how to set up Event Log forwarding in Windows Server 2012 R2, configuring a source server, and another that acts as a collector. Windows Server 2008 and Vista or later can be configured as event collectors, while Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2 or later are supported sources.
There’s no need to install a collection agent, as Event Log forwarding uses technologies built into Windows Server. One collector can forward to another and process many events per second, making forwarding very scalable. HTTPS is also supported for secure messaging.
One or more devices can be set up as Event Log collectors. On these devices, you configure subscriptions that pull the desired logs from any number of source computers. No special configuration is required on the source computers, other than that Windows Remote Management (WinRM) should be enabled, the WinRM Windows Firewall exceptions be enabled, and the collector’s computer account must have read permission on the logs you want to subscribe to.
There are variations on this standard configuration, which I won’t discuss in this article, such as configuring push notifications and configuring a user account to authenticate on the source computers. Additionally, if you are working with computers in a workgroup instead of a domain, extra configuration may be required.
In this demonstration, I’m going to enable Event Log forwarding on a Windows Server 2012 R2 domain controller (CONTOSODC1) and configure a domain member server (CONTOSOSRV1) as a collector.
Let’s start by enabling WinRM on the source domain controller (DC). WinRM is enabled out-of-the-box in Windows Server 2012 and later, but nevertheless, you can check the WinRM configuration on your server by using the following command. All the commands below require you to have local administrative privileges on the server.
If WinRM is not enabled, configure it by running:
TIP: If the Event Log source computer is Windows Server 2012 R2 in Azure, you'll need to run winrm quickconfig, because the default WinRM listener is removed in Windows Server 2012 R2 Azure images.Configure Security
Before a collector can access the Event Log, you will need to add the collector's computer account to the Event Log Readers group. Use the Add-ADGroupMember PowerShell cmdlet as shown below, replacing contososrv1$ with the name of the server that will act as the collector in your domain.
Set Up an Event Collector
Now that our Event Log source server is configured, we need to set up a collector. This is two-step process, first setting the Windows Event Collector service startup mode, followed by creating a subscription to the source server.Set Up a Subscription in Event Viewer
The easiest way to set up a subscription for the first time is to use the Event Viewer tool.
Security Event Log Forwarding on Domain Controllers
If you want to forward events from the Security Event Log of a domain controller, you'll need to change the permissions so that the Network Service account has channel access permissions to the Security Event Log. Log on to the domain controller as domain administrator, open a command or PowerShell prompt, and run the command below to determine the current channel access permissions:
The Security Identifier (SID) for the Network Service account is S-1-5-20, so we need to add it to the SDDL as shown here using wevutil set-log command with the /ca (channel access) parameter to give the account read permission on the Security Event Log: