There are several steps that you must take to enable event forwarding from one machine to another. You will need to configure both the forwarder and the collector with the appropriate settings. Event forwarding uses the HTTP or HTTPS protocols so they are easily configured in terms of firewall protection. You will probably need to allow the HTTP flow between the forwarder and the collector. Another important aspect that you need to cover is to enable the Windows Event Collector and Windows Remote Management services on both machines. I will configure both machines from the beginning:
Open a command prompt with administrative credentials and type in the following:
You will then need to add the computer account of the collector machine in the local Event Log Readers group. The group can be found in Computer Management:
If you want to enable Event forwarding on multiple machines I recommend that you use GPO and run a local script on all machines. You can use the following command to add the computer account of the collector machine in the local group:
net localgroup “Event Log Readers” firstname.lastname@example.org /add where email@example.com is the collector’s name
The computer account as been added to the specified group:
Collector machine – open a command prompt with administrative credentials and type wecutil qc. When prompted, press Y to configure the Windows Event Collector service:
Now we’ll need to create a subscription. Open Event Viewer console, navigate to the Subscription section and press the Create Subscription button from the right side of the window:
There are two types of subscriptions collector initiated and source computer initiated, choose the one that suits your needs better. You’ll have to select what events are sent to the collector computer and if desired, you can customize advanced options (what protocol is used to sent events, who has read access and the overall bandwidth consumption:
If you’ve chosen to use HTTPS as the transport method for events, you will need to deploy computer certificates on the forwarding machine from the local CA. You would also need to create the appropriate firewall rules for the port 443 and configure Winrm for HTTPS transport (open a command prompt and type winrm quickconfig -transport:https). The collector computer must trust the enterprise CA and configure the subscription advanced options to accept HTTPS transport.
Event subscriptions are checked every 15 minutes, if you want to change this value you’ll need to type in wecutil ss “Subscription_name” /cm:custom and wecutil ss “Subscription_name” /hi:6000 from command prompt. The value 6000 is equivalent to 1 minute.
These are the steps that you need to take to enable event forwarding between two machines. Hope you’ve understood the principles behind this technology, if you have any misunderstandings leave a comment and I will try to respond as soon as possible. Wish you all the best and have a great day!