How to Set Up Event Log Forwarding on Windows Server 2012 R2

How to Set Up Event Log Forwarding on Windows Server 2012 R2

Event Log Forwarding allows Windows Server 2012 R2 to collect event logs from multiple remote computers into a central Windows Event Collector (WEC) server. This centralized logging infrastructure is essential for security monitoring, compliance auditing, and incident response. Windows Event Forwarding (WEF) uses the WS-Management protocol and can be configured in either source-initiated (push) or collector-initiated (pull) mode. Source-initiated subscriptions, where computers push their events to the collector, scale better for large environments and work through firewalls. This guide covers deploying a WEC server, configuring subscriptions, and filtering events.

Prerequisites

You need at least two Windows Server 2012 R2 machines: one designated as the Windows Event Collector and one or more source computers. Both collector and sources must be domain-joined, as Kerberos authentication is used by default. The Windows Remote Management (WinRM) service must be running on source computers for collector-initiated subscriptions, or the Windows Event Collector service must run on the collector for source-initiated subscriptions. Port 5985 (HTTP) or 5986 (HTTPS) must be open between sources and the collector. Domain Admin or the ability to modify Group Policy is required for domain-wide deployment.

Configuring the Windows Event Collector Server

On the designated collector server, configure the Windows Event Collector service and initialize the subscription manager:

# Quick-configure WinRM on the collector
winrm quickconfig -quiet

# Initialize the Windows Event Collector service
wecutil qc -quiet

# Verify the collector service is running
Get-Service -Name Wecsvc | Select-Object Name, Status, StartType

Set the Windows Event Collector service to start automatically:

Set-Service -Name Wecsvc -StartupType Automatic
Start-Service -Name Wecsvc

Verify WinRM is listening:

winrm enumerate winrm/config/listener

Configuring Source Computers with Group Policy

For source-initiated subscriptions at scale, configure source computers via Group Policy to automatically contact the collector and forward events. Create a new GPO linked to the OU containing the servers you want to collect events from:

# On source computers, WinRM must be running. Configure via GPO:
# Computer Configuration > Policies > Windows Settings > Security Settings > System Services
# Set "Windows Remote Management (WS-Management)" to Automatic

# Also configure via GPO:
# Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management
# > WinRM Service > Allow remote server management through WinRM
# Set IPv4/IPv6 filter to * to allow from any address, or restrict to collector IP

Configure the Event Log Readers group. The collector’s computer account must be a member of the Event Log Readers group on each source computer. Add via GPO:

# GPO Path: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
# Create or update "Event Log Readers" group and add: NT AUTHORITYNETWORK SERVICE
# OR add the collector machine account: DOMAINCollectorServer$

# Manual method on source computers:
$Group = [ADSI]"WinNT://./Event Log Readers,group"
$Member = [ADSI]"WinNT://CollectorServer$"
$Group.Add($Member.Path)

Creating a Source-Initiated Subscription

Source-initiated subscriptions require configuring a subscription policy on the collector, then pushing the subscription URL to source computers via GPO. First, create the subscription XML file on the collector:

# Create subscription XML - collect Security and System events from all sources
$SubscriptionXml = @'

    SecurityEvents
    SourceInitiated
    Collect Security and System events from all domain servers
    true
    http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
    Custom
    
        
            500
            900000
        
        
            
        
    
    
        <![CDATA[
        
            
                *[System[(Level=1 or Level=2 or Level=3 or Level=4)]]
            
            
                *[System[(Level=1 or Level=2)]]
            
        
        ]]>
    
    false
    HTTP
    RenderedText
    
    ForwardedEvents
    MicrosoftWindowsEventCollector
    
    
        
        
            
                
            
        
    

'@
$SubscriptionXml | Out-File -FilePath "C:SubscriptionsSecurityEvents.xml" -Encoding UTF8

Create the subscription using wecutil:

wecutil cs C:SubscriptionsSecurityEvents.xml

Verify the subscription was created:

wecutil es

Configuring Source Computers via Group Policy (Event Forwarding)

Push the subscription URL to source computers via GPO so they know where to send events:

# GPO Path: Computer Configuration > Administrative Templates > Windows Components >
# Event Forwarding > Configure target Subscription Manager
# Set value to: Server=http://CollectorServer.domain.com:5985/wsman/SubscriptionManager/WEC,Refresh=900

# Also enable WinRM via GPO:
# Computer Configuration > Administrative Templates > Windows Components > 
# Windows Remote Management (WinRM) > WinRM Service
# "Allow remote server management through WinRM" = Enabled, IPv4/IPv6 filter = *

Force a Group Policy update on source computers to apply the new settings:

Invoke-Command -ComputerName Server01, Server02, Server03 -ScriptBlock {
    gpupdate /force
    Restart-Service WinRM -Force
}

Creating a Collector-Initiated Subscription

For smaller environments or when you need explicit control over which servers are collected, use a collector-initiated subscription:

$CollectorSubXml = @'

    CollectorInitiated-Security
    CollectorInitiated
    Collect critical security events
    true
    http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
    Normal
    
        HTTP
        
            20
            20000
        
    
    
        <![CDATA[
        
            
                *[System[EventID=4624 or EventID=4625 or EventID=4720 or EventID=4728 or EventID=4732]]
            
        
        ]]>
    
    false
    HTTP
    RenderedText
    
    ForwardedEvents
    
        
            
Server01.domain.com
        
        
            
Server02.domain.com
        
    

'@
$CollectorSubXml | Out-File "C:SubscriptionsCollectorInitiated.xml" -Encoding UTF8
wecutil cs C:SubscriptionsCollectorInitiated.xml

Increasing the Forwarded Events Log Size

The Forwarded Events log on the collector must be sized appropriately to handle the volume from all sources:

# Set Forwarded Events log to 4 GB with archive-on-full policy
wevtutil sl ForwardedEvents /ms:4294967296 /rt:false /ab:true
wevtutil sl ForwardedEvents /e:true

Verification and Monitoring

Check subscription status and source computer heartbeats:

# List all subscriptions
wecutil es

# Get detailed subscription status
wecutil gs SecurityEvents

# View subscription runtime status (connection status for each source)
wecutil gr SecurityEvents

Query forwarded events to confirm events are arriving:

Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 20 | 
    Select-Object TimeCreated, ProviderName, Id, MachineName, Message | 
    Format-Table -AutoSize

Summary

Windows Event Log Forwarding on Server 2012 R2 enables centralized log aggregation from all servers in the environment. Source-initiated subscriptions via Group Policy are recommended for large-scale deployments as they scale without manual configuration per server. The key components are: the WEC service on the collector, WinRM on all sources, membership in Event Log Readers for the collector account, and Group Policy to distribute the subscription URL. Size the Forwarded Events log generously and consider forwarding to a SIEM for long-term retention and alerting.