How To Set Up Windows Event Log Forwarding In Windows Server 2016

In this Snip Matt is going to demonstrate how to set up a Windows Server 2016 machine as an Event Log Collector. This collector will reach out to and Event Source Computer to collect it’s forwarded events through an Event Subscription.

this snip, I'm going to show you how to set up windows event log forwarding in Windows Server 2016. I have 2 computers set up that I'll be using for this demo a server called pro get which will be my event forwarder and another server called Otter which will be my collector. First, I'm going to go to my server that I want to be my event forwarder machine. This machines events will be forwarded to my collector. I want to make sure that winRM is enabled by running winRM quick config. As you can see the winRM service is already running. If it is not running on your machine just type Y for yes and hit enter to enable winRM. Now that that is complete, let's go into computer management. Under computer management expand local users and groups. Click on groups and open up event log readers. The group is currently empty. For event forwarding to work properly, we will need to put either the machine account for the computer that will be functioning as the event collector or a domain account that the collector will be running under. For this demo, I will be using the machine account for my collector. The server that will be running as my collector's called Otter so I'm going to click on ADD. Then click on object types. Here, I want to make sure that computers is checked off. Now I'm going to type the name of my collector and click check names to verify the computer name. Now click OK and OK again. Now that the collector has access to read the event logs. Let's switch over to the collector computer to set up the subscription. I am now on my server call Otter. In the event window on the left hand side click on subscriptions. Right click subscriptions and click create subscription. Give the subscription a name I'm going to call mine pro get events. For destination log, I'm going to select forwarded events. Under subscription type there are 2 options collector initiated and source computer initiated. Collector initiated means that the collector computer will reach out to the server or servers to collect the forwarded events. Source computer initiated means that the forwarding computers will contact the collector computer to forward events collector initiated would work well in smaller scale scenarios where there are a small manageable number of forward in computers. Source computer initiated would help lower the strain on the collector in scenarios where there are a large number of forwarding computers since the forwarding. Computers would be initiating the forwarding instead of the collector for this demo. I'm going to use collector initiated and click on select computers. Now I'm going to click on add domain computers. I'm going to type in the name of my forwarding computer and click. Check names when I click OK, you can see my program computer in the list of computers. I'm going to click test to test the connection. Once the test succeeds I'm going to click OK, then OK again. Under events to collect click on selective events. Here you can choose exactly what kind of events you want to collect. I'm going to select critical warning error and information. In the event logs dropdown select which logs you would like to collect. I'm going to select windows logs. I'm going to leave the rest of the fields blank. But you may want to filter the logs down even more click OK to save those settings. If you click on advanced this is where you would specify either. The machine account for a specific user for accessing the remote logs. I'm using the machine account, so I'm going to keep that selected the event delivery. Optimization options will specify the frequency of event delivery to the collector the normal option will get events every 15 minutes and does not conserve bandwidth minimize bandwidth will limit the frequency of network connections and uses a heartbeat interval of 6 hours. And finally minimize latency will ensure that events are delivered most frequently. Events will be delivered every 30 seconds or so. This option is good if you are collecting critical time sensitive events. For the purpose of this demo. I'm going to select minimize latency, so I don't have to wait around 15 minutes for events to start coming in. Now we have a subscription activated. Forwarded events will start coming in under windows logs forwarded events. There is a single event in here, but let's run a command that will add an event to the application log to watch it come into the collector. I can see at the top of the window that I have a new event available, so I'm going to hit refresh. Here we can see are forwarded event from our progress server. And that is how to set up windows event log forwarding in Windows Server 2016.