How to Set Up Windows Server 2016 Event Log Forwarding
Windows Event Log Forwarding (WEF) allows you to collect event logs from multiple Windows computers and consolidate them on a central collector server. This is critical for centralized security monitoring, compliance, and SIEM integration without deploying agent software. WEF uses the Windows Remote Management (WinRM) protocol and the Windows Event Collector (WecSvc) service.
Architecture Overview
- Event Sources: Windows computers that send event logs.
- Event Collector: The server that receives and stores forwarded events in the ForwardedEvents log.
- Subscription: Defines which events to collect and from which computers.
- Transport: Uses WinRM over HTTP (port 5985) or HTTPS (port 5986).
Step 1: Configure the Collector Server
On the collector server, start the Windows Event Collector service and configure it:
wecutil qc /qEnable and start the service:
Set-Service -Name Wecsvc -StartupType Automatic
Start-Service -Name WecsvcStep 2: Configure WinRM on Source Computers
WinRM must be enabled on all source computers. Use Group Policy or PowerShell:
Enable-PSRemoting -Force
winrm quickconfig -qOr configure via Group Policy at:
Computer Configuration > Windows Settings > Security Settings > Windows Firewall > Inbound Rules — allow WinRM on port 5985.
New-NetFirewallRule -DisplayName "WinRM-HTTP" -Direction Inbound -Protocol TCP -LocalPort 5985 -Action AllowStep 3: Add the Collector to the Event Log Readers Group via GPO
The collector computer account must be a member of the Event Log Readers group on source computers. Configure via GPO:
Computer Configuration > Windows Settings > Security Settings > Restricted Groups
Add the collector’s computer account (DOMAINCollectorServer$) to “Event Log Readers”.
Or add locally on source computers:
Add-LocalGroupMember -Group "Event Log Readers" -Member "CORPCollectorServer$"Step 4: Configure WinRM Listener via GPO
Ensure WinRM auto-starts on all sources via GPO:
Computer Configuration > Preferences > Windows Settings > Services > Set WinRM to Automatic.
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWinRMService" -Name "AllowAutoConfig" -Value 1 -Type DWordStep 5: Create an Event Subscription (XML Method)
Create an XML subscription file defining which events to collect:
wecutil cs C:SubscriptionsSecurityEvents.xmlThe XML subscription file (SecurityEvents.xml) should look like:
SecurityEvents
SourceInitiated
Collect Security Events
true
http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
Custom
20
900000
<![CDATA[*[System[(Level=1 or Level=2 or Level=3)]]]]>
false
HTTP
RenderedText
ForwardedEvents
O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)
Step 6: Manage Subscriptions
List all subscriptions:
wecutil esView subscription status:
wecutil gr SecurityEventsRetry all sources in a subscription:
wecutil rs SecurityEventsDelete a subscription:
wecutil ds SecurityEventsStep 7: View Forwarded Events
Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 50 | Select-Object TimeCreated, Id, MachineName, MessageStep 8: Increase Forwarded Events Log Size
wevtutil sl ForwardedEvents /ms:4294967296This sets the ForwardedEvents log to 4 GB.
Step 9: Troubleshoot WEF Issues
If events are not arriving at the collector, check the Windows Remote Management service and subscription status:
winrm get winrm/config
wecutil gr SecurityEvents
Test-WSMan -ComputerName "SourceComputer01" -Authentication KerberosCheck for WinRM connectivity from the collector to a source:
Test-NetConnection -ComputerName "SourceComputer01" -Port 5985If sources show an error state in wecutil gr, re-run the quickconfig on the source and verify the Event Log Readers group membership.
Summary
Windows Event Log Forwarding provides agentless, centralized log collection for security monitoring and compliance. By configuring a collector server with WEF subscriptions and ensuring WinRM is enabled on sources via Group Policy, you can aggregate critical security events from hundreds of computers without deploying additional software. Forwarded events can be fed into a SIEM like Microsoft Sentinel or Splunk for real-time analysis and alerting.
