Configure Event Log Forwarding in Windows Server 2012 R2
Event Log forwarding was introduced in Windows Server 2008, allowing system administrators to centralize server and client event logs, making it easier to monitor events without having to connect to individual servers. Forwarding uses the DMTF WS-Eventing standard, which is part of the open Web Services-Management (WS-Man) protocol built in to Windows Server as part of the Windows Management Framework (WMF).
In this article, I’ll show you how to set up Event Log forwarding in Windows Server 2012 R2, configuring a source server, and another that acts as a collector. Windows Server 2008 and Vista or later can be configured as event collectors, while Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2 or later are supported sources.
There’s no need to install a collection agent, as Event Log forwarding uses technologies built into Windows Server. One collector can forward to another and process many events per second, making forwarding very scalable. HTTPS is also supported for secure messaging.
How Does Event Log Forwarding Work?
One or more devices can be set up as Event Log collectors. On these devices, you configure subscriptions that pull the desired logs from any number of source computers. No special configuration is required on the source computers, other than that Windows Remote Management (WinRM) should be enabled, the WinRM Windows Firewall exceptions be enabled, and the collector’s computer account must have read permission on the logs you want to subscribe to.
There are variations on this standard configuration, which I won’t discuss in this article, such as configuring push notifications and configuring a user account to authenticate on the source computers. Additionally, if you are working with computers in a workgroup instead of a domain, extra configuration may be required.
Set Up an Event Source Computer
In this demonstration, I’m going to enable Event Log forwarding on a Windows Server 2012 R2 domain controller (CONTOSODC1) and configure a domain member server (CONTOSOSRV1) as a collector.
Enable Windows Remote Management
Let’s start by enabling WinRM on the source domain controller (DC). WinRM is enabled out-of-the-box in Windows Server 2012 and later, but nevertheless, you can check the WinRM configuration on your server by using the following command. All the commands below require you to have local administrative privileges on the server.
If WinRM is not enabled, configure it by running:
TIP: If the Event Log source computer is Windows Server 2012 R2 in Azure, you'll need to run winrm quickconfig, because the default WinRM listener is removed in Windows Server 2012 R2 Azure images.
Configure SecurityBefore a collector can access the Event Log, you will need to add the collector's computer account to the Event Log Readers group. Use the Add-ADGroupMember PowerShell cmdlet as shown below, replacing contososrv1$ with the name of the server that will act as the collector in your domain.
Set Up an Event CollectorNow that our Event Log source server is configured, we need to set up a collector. This is two-step process, first setting the Windows Event Collector service startup mode, followed by creating a subscription to the source server.
Set Up a Subscription in Event ViewerThe easiest way to set up a subscription for the first time is to use the Event Viewer tool.
- Switch to the Start screen, type event and press ENTER to open Event Viewer.
- In Event Viewer, click Subscriptions in the left pane.
- Click Yes in the Event Viewer dialog to start the Windows Event Collector service, and set it to start up automatically.
- In the Actions panel on the right, click Create Subscription.
- In the Subscription Properties dialog, give the new subscription a name.
- Make sure that Collector initiated is selected, and click Select Computers.
- In the Computers dialog, click Add Domain Computers.
- In the Select Computer dialog, type the name of the source computer under Enter the object name to select and click OK.
- The name of the source computer should now appear in the Computers dialog. Make sure it is selected, and click Test. You should receive a Connectivity test succeeded message if the collector is able to connect to the specified source using WinRM.
- Click OK in the Computers dialog.
- In the Subscription Properties dialog, click Select Events.
- In the Query Filter dialog on the Filter tab, check the Critical, Security, Warning, Error, and Information Event level boxes.
- Check By log, and then click the drop-down menu to the right.
- In the drop-down menu, check Windows Logs.
- Click OK to close the Query Filter dialog.
- Click OK in the Subscription Properties dialog to complete the process.
Security Event Log Forwarding on Domain ControllersIf you want to forward events from the Security Event Log of a domain controller, you'll need to change the permissions so that the Network Service account has channel access permissions to the Security Event Log. Log on to the domain controller as domain administrator, open a command or PowerShell prompt, and run the command below to determine the current channel access permissions:
The Security Identifier (SID) for the Network Service account is S-1-5-20, so we need to add it to the SDDL as shown here using wevutil set-log command with the /ca (channel access) parameter to give the account read permission on the Security Event Log:
More in Windows Server 2012
Microsoft Acknowledges New Netlogon Issues On Windows Server Machines
Feb 25, 2022 | Rabia Noureen
How to Fully Patch the PrintNightmare Vulnerability
Jul 9, 2021 | Brad Sams
Understanding Windows Server 2016’s Disaster Recovery Features
Aug 29, 2018 | Michael Otey
What Are Shared Virtual Hard Disk Sets on Windows Server 2016 Hyper-V?
May 26, 2017 | Aidan Finn
What Is the Storage Resiliency of Windows Server 2016?
May 25, 2017 | Aidan Finn
SCARY: “Atom Bomb” Windows Security Hole said to be Unfixable
Oct 31, 2016 | Richi Jennings
Most popular on petri