Forwarded event log

Windows allows events to be forwarded from one host to another and by default, the forwarded event will be stored in the Windows Logs > Forwarded Events folder but a different folder can be specified.

You can configure the probe to monitor the forwarded events stored in any forwarded event log folder. Therefore, this probe indirectly supports remote event extraction by allowing you to retrieve events from the Forwarded Events folder.

The following configuration example explains how to set up Windows to forward from one host to another. The events forwarded from the source host (Host B) are sent to the collector host (Host A). A subscription is then configured on Host A that allows you to collect the forwarded events.

Set up event forwarding from Host B

First set up event forwarding from Host B:

  1. Log on to Host B.
  2. Open a command prompt and run the following command:

    winrm quickconfig

  3. When prompted to make changes to the WinRM listener and Windows Firewall, enter Y.

    You will receive a confirmation that these changes were successful.

Set up event collection on Host A

On the collector host (Host A), you need to set up event collection. To do this, enable and start the collector service on the central server.

  1. Log on to Host A.
  2. Open a command prompt and run the following command:

    wecutil qc

  3. When prompted to change the service startup mode, choose Yes.

    You should see a confirmation that the collector service was set up properly.

Create subscriptions to events on Host A

After setting up event forwarding and collection, you need to create subscriptions for the events that you wish to forward to the collector. Subscriptions are set up on the collector host. To set up a subscription, perform the following steps:

  1. Open Server Manager by selecting Start > Administrative Tools > Server Manager.
  2. Expand the Diagnostics > Event Viewer nodes.
  3. Right-click the Subscriptions node and choose Create Subscription.
  4. In the Subscription Properties window, enter the text All Critical and Warning Events in the Subscription Name text box.
  5. Choose the Collector Initiated option. This option instructs the collector to connect to the source computers to gather events.
  6. Click the Select Computers button.
  7. In the Computers window, click the Add domain computers button. Enter the name Host B and click the OK button. Click the OK button in the Computers window to return to the Subscription Properties window.
  8. Click the Select Events button.
  9. Select the Critical and Warning options and then choose all Windows Logs. Then click the OK button.
  10. Click the Advanced button to open the Advanced Subscription Settings window.
  11. Click Machine Account.
  12. Enter a username and password with sufficient access to the event logs on the source computer. Then click the OK button.
  13. Click the OK button two more times to close all windows.

    You will now see the subscription active.

Test the subscription

Finally, test the subscription by creating a warning event on Host B:

  1. Log on to the source computer, Host B.
  2. Open a command prompt and enter the following:

    EVENTCREATE /T Warning /ID 500 /L Application /D “Testing Subscription”

  3. Log on to Host A and open Server Manager.
  4. Click on the Diagnostics > Event Viewer > Windows Logs > Forwarded Events node.

    The warning event you created on Host B should be displayed in the Forwarded Events log on Host A. You may need to click the Refresh button if the event does not appear. There is a short delay between the time an event is logged on a local computer and the time it is forwarded to the collector server.