Configure Event Log Forwarding in Windows Server 2012 R2

Event Log forwarding was introduced in Windows Server 2008, allowing system administrators to centralize server and client event logs, making it easier to monitor events without having to connect to individual servers. Forwarding uses the DMTF WS-Eventing standard, which is part of the open Web Services-Management (WS-Man) protocol built in to Windows Server as part of the Windows Management Framework (WMF).

In this article, I’ll show you how to set up Event Log forwarding in Windows Server 2012 R2, configuring a source server, and another that acts as a collector. Windows Server 2008 and Vista or later can be configured as event collectors, while Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2 or later are supported sources.

There’s no need to install a collection agent, as Event Log forwarding uses technologies built into Windows Server. One collector can forward to another and process many events per second, making forwarding very scalable. HTTPS is also supported for secure messaging.

How Does Event Log Forwarding Work?

One or more devices can be set up as Event Log collectors. On these devices, you configure subscriptions that pull the desired logs from any number of source computers. No special configuration is required on the source computers, other than that Windows Remote Management (WinRM) should be enabled, the WinRM Windows Firewall exceptions be enabled, and the collector’s computer account must have read permission on the logs you want to subscribe to.

There are variations on this standard configuration, which I won’t discuss in this article, such as configuring push notifications and configuring a user account to authenticate on the source computers. Additionally, if you are working with computers in a workgroup instead of a domain, extra configuration may be required.

Set Up an Event Source Computer

In this demonstration, I’m going to enable Event Log forwarding on a Windows Server 2012 R2 domain controller (CONTOSODC1) and configure a domain member server (CONTOSOSRV1) as a collector.

Enable Windows Remote Management

Let’s start by enabling WinRM on the source domain controller (DC). WinRM is enabled out-of-the-box in Windows Server 2012 and later, but nevertheless, you can check the WinRM configuration on your server by using the following command. All the commands below require you to have local administrative privileges on the server.

Check the state of WinRM in Windows Server 2012 R2 (Image Credit: Russell Smith)
Check the state of WinRM in Windows Server 2012 R2 (Image Credit: Russell Smith)
​
If WinRM is not enabled, configure it by running:
TIP: If the Event Log source computer is Windows Server 2012 R2 in Azure, you'll need to run winrm quickconfig, because the default WinRM listener is removed in Windows Server 2012 R2 Azure images.


Configure Security

Before a collector can access the Event Log, you will need to add the collector's computer account to the Event Log Readers group. Use the Add-ADGroupMember PowerShell cmdlet as shown below, replacing contososrv1$ with the name of the server that will act as the collector in your domain.

Set Up an Event Collector

Now that our Event Log source server is configured, we need to set up a collector. This is two-step process, first setting the Windows Event Collector service startup mode, followed by creating a subscription to the source server.

Set Up a Subscription in Event Viewer

The easiest way to set up a subscription for the first time is to use the Event Viewer tool.
  • Switch to the Start screen, type event and press ENTER to open Event Viewer.
  • In Event Viewer, click Subscriptions in the left pane.
  • Click Yes in the Event Viewer dialog to start the Windows Event Collector service, and set it to start up automatically.
Note that you can perform the above configuration from the command line by typing wecutil qc.
Set up a new subscription in Event Viewer (Image Credit: Russell Smith)
Set up a new subscription in Event Viewer (Image Credit: Russell Smith)
  • In the Actions panel on the right, click Create Subscription.
  • In the Subscription Properties dialog, give the new subscription a name.
  • Make sure that Collector initiated is selected, and click Select Computers.
  • In the Computers dialog, click Add Domain Computers.
  • In the Select Computer dialog, type the name of the source computer under Enter the object name to select and click OK.
  • The name of the source computer should now appear in the Computers dialog. Make sure it is selected, and click Test. You should receive a Connectivity test succeeded message if the collector is able to connect to the specified source using WinRM.
  • Click OK in the Computers dialog.
  • In the Subscription Properties dialog, click Select Events.
Create a query filter for the subscription (Image Credit: Russell Smith)
Create a query filter for the subscription (Image Credit: Russell Smith)
  • In the Query Filter dialog on the Filter tab, check the Critical, Security, Warning, Error, and Information Event level boxes.
  • Check By log, and then click the drop-down menu to the right.
  • In the drop-down menu, check Windows Logs.
  • Click OK to close the Query Filter dialog.
  • Click OK in the Subscription Properties dialog to complete the process.
See Forwarded Events in the Event View console in Windows Server 2012 R2 (Image Credit: Russell Smith)
See Forwarded Events in the Event View console in Windows Server 2012 R2 (Image Credit: Russell Smith)
You should now see the new subscription appear in the central pane of Event Viewer. It can take up to 15 minutes for events from the source computer to start appearing on the collector, and events from the source appear in Forwarded Events under Windows Logs. You can kick start the process by creating an event from the command line on the source computer:

Security Event Log Forwarding on Domain Controllers

If you want to forward events from the Security Event Log of a domain controller, you'll need to change the permissions so that the Network Service account has channel access permissions to the Security Event Log.
Configure channel access to the Security Event Log on a domain controller (Image Credit: Russell Smith)
Configure channel access to the Security Event Log on a domain controller (Image Credit: Russell Smith)
Log on to the domain controller as domain administrator, open a command or PowerShell prompt, and run the command below to determine the current channel access permissions:
​
The Security Identifier (SID) for the Network Service account is S-1-5-20, so we need to add it to the SDDL as shown here using wevutil set-log command with the /ca (channel access) parameter to give the account read permission on the Security Event Log: