How to Configure Windows Event Collector on Windows Server 2012 R2
Windows Event Collector (WEC) is a built-in Windows Server feature that implements the W3C WS-Eventing protocol to collect event log entries from multiple remote computers (event sources) and store them in the Forwarded Events log on a central collector server. This provides centralized event log aggregation without requiring any third-party log management software — a valuable capability for environments that want a cost-effective way to consolidate security and operational event data before investing in a full SIEM solution.
Windows Server 2012 R2 supports both collector-initiated (pull) and source-initiated (push) subscriptions. Source-initiated subscriptions are the preferred approach for managing many servers, as they are configurable via Group Policy and do not require the collector to have administrative access to each source machine. This guide covers both subscription types, Group Policy configuration for source-initiated forwarding, and optimizing the collection infrastructure for reliability and performance.
Prerequisites
– One Windows Server 2012 R2 designated as the Windows Event Collector
– Multiple Windows Server 2012 R2 event source machines
– Administrative credentials on all servers
– All machines in the same Active Directory domain (or cross-domain with appropriate trust)
– WinRM (Windows Remote Management) service enabled on all source machines
– Network connectivity between sources and the collector on TCP port 5985 (HTTP) or 5986 (HTTPS)
Step 1: Configure the Collector Server
On the designated collector server, configure the Windows Event Collector service:
# Configure and start the Windows Event Collector service
wecutil qc /q
# Verify the service is running
Get-Service Wecsvc | Select-Object Name, Status, StartType
# Set WEC to start automatically
Set-Service Wecsvc -StartupType Automatic
Start-Service Wecsvc
# Enable WinRM on the collector (needed for source-initiated subscriptions)
Enable-PSRemoting -Force
# Add the Network Service account to the Event Log Readers group
# The Windows Event Collector service runs as NETWORK SERVICE and needs
# to write to the Forwarded Events log
Add-LocalGroupMember -Group "Event Log Readers" -Member "NT AUTHORITYNETWORK SERVICE" -ErrorAction SilentlyContinue
# Grant the collector's computer account access to source machines' event logs
# This is handled automatically through AD when using source-initiated subscriptionsStep 2: Configure WinRM on Source Machines
Source machines must have WinRM configured and the collector’s computer account added to the Event Log Readers group:
# Run on each source machine (or deploy via Group Policy)
Enable-PSRemoting -Force
# Add the collector's computer account to Event Log Readers
# The collector's computer account (DOMAINCollectorServer$) needs read access
Add-LocalGroupMember -Group "Event Log Readers" -Member "DOMAINWECServer$"
# For source-initiated subscriptions via Group Policy, the following registry key
# must be configured on source machines to point to the collector:
# Run the following from Group Policy or on each source machine:
& winrm set winrm/config/client "@{AllowUnencrypted=`"false`"}"Step 3: Create a Collector-Initiated Subscription
A collector-initiated subscription has the collector server pull events from specified source machines. This requires the collector to have administrative access to the source machines:
# Create a subscription XML file defining what events to collect
$subscriptionXml = @'
SecurityEvents-AllServers
CollectorInitiated
Collect Security and System events from all servers
true
http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
Custom
500
900000
<![CDATA[
*[System[(Level=1 or Level=2 or Level=3)]]
*[System[(Level=1 or Level=2)]]
*[System[Level=1 or Level=2]]
]]>
false
http
RenderedText
ForwardedEvents
Server01.domain.com
Server02.domain.com
'@
$subscriptionXml | Out-File "C:SubscriptionsSecurityEvents.xml" -Encoding UTF8
# Create the subscription
wecutil cs "C:SubscriptionsSecurityEvents.xml"
# List all subscriptions
wecutil es
# View subscription status
wecutil gs "SecurityEvents-AllServers"Step 4: Configure Source-Initiated Subscriptions via Group Policy
Source-initiated subscriptions are more scalable — source computers push events to the collector without the collector needing credentials to each source. Configure via Group Policy:
# First, create the source-initiated subscription on the collector
$sourceSubscriptionXml = @'
AllServers-Security-Source
SourceInitiated
Source-initiated security event collection
true
http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
Custom
500
900000
<![CDATA[
*[System[(EventID=4625 or EventID=4740 or EventID=4728 or EventID=1102 or EventID=4719 or EventID=7045)]]
*[System[Level=1 or Level=2]]
]]>
false
http
RenderedText
ForwardedEvents
O:NSG:NSD:(A;;GA;;;DC)
'@
$sourceSubscriptionXml | Out-File "C:SubscriptionsSourceInitiated.xml" -Encoding UTF8
wecutil cs "C:SubscriptionsSourceInitiated.xml"Configure the Group Policy settings on source machines:
# Group Policy settings to apply to all source machines:
# Computer Configuration > Administrative Templates > Windows Components >
# Event Forwarding >
# "Configure the server address, refresh interval, and issuer CA of target Subscription Manager"
# Value: Server=http://WECServer01.domain.com:5985/wsman/SubscriptionManager/WEC,Refresh=60
# In PowerShell (to apply directly without Group Policy for testing):
$regPath = "HKLM:SOFTWAREPoliciesMicrosoftWindowsEventLogEventForwardingSubscriptionManager"
New-Item -Path $regPath -Force
New-ItemProperty -Path $regPath -Name 1 -Value "Server=http://WECServer01.domain.com:5985/wsman/SubscriptionManager/WEC,Refresh=60" -PropertyType String -Force
# Restart the WinRM service on source to apply immediately
Restart-Service WinRMStep 5: Expand the Forwarded Events Log Size
# Increase the Forwarded Events log size on the collector
wevtutil sl ForwardedEvents /ms:2147483648 # 2 GB
wevtutil sl ForwardedEvents /rt:true # Auto-backup when full
# Alternatively via PowerShell
$logConfig = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration("ForwardedEvents")
$logConfig.MaximumSizeInBytes = 2GB
$logConfig.LogMode = [System.Diagnostics.Eventing.Reader.EventLogMode]::AutoBackup
$logConfig.SaveChanges()
# Verify the log configuration
Get-WinEvent -ListLog ForwardedEvents | Select-Object LogName, MaximumSizeInBytes, LogMode, RecordCountStep 6: Monitor Subscription Health
# Check the status of all subscriptions
wecutil es | ForEach-Object {
$status = wecutil gr $_
Write-Host "`nSubscription: $_"
$status
}
# Get detailed runtime status of a subscription
wecutil gr "SecurityEvents-AllServers" /f:xml
# Check event sources within a subscription (connected/error status)
wecutil gs "SecurityEvents-AllServers" | Select-String "EventSource|Status|LastError"
# View WEC operational events
Get-WinEvent -LogName "Microsoft-Windows-EventCollector/Operational" -MaxEvents 20 |
Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-ListStep 7: Query the Forwarded Events Log
# Read from the Forwarded Events log (shows events from all source machines)
Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 50 |
Select-Object TimeCreated, Id, ProviderName, LevelDisplayName,
@{N="Source"; E={$_.Properties[0].Value}},
Message | Format-List
# Filter for specific security events
Get-WinEvent -FilterHashtable @{
LogName = "ForwardedEvents"
Id = 4625 # Failed logon
StartTime = (Get-Date).AddHours(-24)
} | Select-Object TimeCreated, Message | Format-List
# Find which source computers sent events in the last hour
Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 1000 |
Group-Object { $_.MachineName } |
Select-Object Name, Count |
Sort-Object Count -DescendingStep 8: Manage Subscriptions with Wecutil
# List all subscriptions
wecutil es
# View subscription configuration
wecutil gs "SecurityEvents-AllServers"
# Update subscription (reload after XML file change)
wecutil ss "SecurityEvents-AllServers"
# Enable/disable a subscription
wecutil ss "SecurityEvents-AllServers" /e:true # enable
wecutil ss "SecurityEvents-AllServers" /e:false # disable
# Delete a subscription
wecutil ds "SecurityEvents-AllServers"
# Retry failed source connections
wecutil rs "SecurityEvents-AllServers"Step 9: Configure Log Retention and Archival
# Archive the ForwardedEvents log to an EVTX file daily
$archivePath = "D:LogArchiveForwardedEvents"
New-Item -Path $archivePath -ItemType Directory -Force
# Create a scheduled task for daily archival
$action = New-ScheduledTaskAction `
-Execute "wevtutil.exe" `
-Argument "epl ForwardedEvents `"$archivePathForwardedEvents_$(Get-Date -Format 'yyyyMMdd').evtx`""
Register-ScheduledTask `
-TaskName "ArchiveForwardedEvents" `
-TaskPath "EventCollection" `
-Action $action `
-Trigger (New-ScheduledTaskTrigger -Daily -At "00:30AM") `
-Principal (New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest)Summary
Windows Event Collector on Windows Server 2012 R2 provides enterprise-grade centralized event log collection using only built-in Windows components. Collector-initiated subscriptions work well for small environments where the collector has credentials to each source, while source-initiated subscriptions deployed via Group Policy scale effortlessly to hundreds of servers. The resulting ForwardedEvents log consolidates security and operational events from the entire server estate in one location, enabling efficient auditing, security monitoring, and incident investigation without the cost or complexity of third-party log aggregation tools. Organizations treating this as a stepping stone toward full SIEM deployment will find WEC an excellent interim solution that also feeds data into SIEM solutions that can read from WEF subscriptions.
