How to Set Up Centralised Log Collection with Windows Event Collector on Windows Server 2012 R2

Windows Event Collector (WEC) is a built-in Windows Server 2012 R2 service that enables centralised collection of Windows event log entries from multiple source computers into a single collector server. This eliminates the need to log into each individual server to review event logs and provides a consolidated view of security events, application errors, and system warnings across your entire environment. WEC uses the WS-Management protocol (WinRM) and supports both source-initiated and collector-initiated subscription models. This guide covers configuring WEC for enterprise-scale event log collection including subscription configuration, Group Policy deployment, and log management on the collector.

Prerequisites

A designated Windows Server 2012 R2 collector server with sufficient disk space for centralised logs (plan for 1-5 GB per day for 20 servers with standard audit policies, more with verbose security auditing). All source computers must be joined to the same Active Directory domain. WinRM must be enabled and configured on source computers. The collector server’s computer account needs to be a member of the Event Log Readers group on each source computer. Windows Remote Management (WinRM) service must be running on the collector server.

Step 1: Configure the Collector Server

Run the following commands on the designated collector server to enable the Windows Event Collector service and configure WinRM:

# Enable and start the Windows Event Collector service
wecutil qc /quiet

# Configure WinRM on the collector server
winrm quickconfig -quiet

# Verify WEC service is running
Get-Service -Name "Wecsvc" | Select-Object Name, Status, StartType
Set-Service -Name "Wecsvc" -StartupType Automatic
Start-Service -Name "Wecsvc"

Step 2: Configure Source Computers via Group Policy

Use Group Policy to configure WinRM and event forwarding on all source computers. Create or edit a GPO and apply it to the OU containing your servers. Configure the following settings:

Computer Configuration → Administrative Templates → Windows Components → Windows Remote Management → WinRM Service → Allow remote server management through WinRM: Set to Enabled with IPv4 filter set to the collector server IP or * for all.

Computer Configuration → Administrative Templates → Windows Components → Event Forwarding → Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager: Set to Enabled with value:

Server=http://COLLECTOR01.yourdomain.com:5985/wsman/SubscriptionManager/WEC,Refresh=60

Computer Configuration → Windows Settings → Security Settings → Restricted Groups: Add the Network Service account to the Event Log Readers group on all servers by adding the collector’s computer account to Event Log Readers via the Restricted Groups policy.

Apply the GPO and force a policy refresh on source computers:

gpupdate /force

Step 3: Create an Event Subscription

Create a subscription on the collector server that defines which events to collect and from which sources. Use an XML subscription configuration file for source-initiated subscriptions.

Create the subscription XML file at C:WECSecurityEvents.xml:



  Security-Events-All-Servers
  SourceInitiated
  Centralised security event collection from all domain servers
  true
  http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
  Custom
  
    
      20
      900000
    
  
  
    <![CDATA[
    
      
        
          *[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4648 or EventID=4720 or EventID=4726 or EventID=4732 or EventID=4740 or EventID=4771 or EventID=4776)]]
        
        
          *[System[Level<=3]]
        
        
          *[System[Level<=2]]
        
      
    
    ]]>
  
  false
  HTTP
  RenderedText
  
  ForwardedEvents
  O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)

Create the subscription from the XML file:

wecutil cs "C:WECSecurityEvents.xml"

# Verify the subscription was created
wecutil es

# View subscription details
wecutil gs Security-Events-All-Servers

Step 4: Configure the ForwardedEvents Log

The ForwardedEvents log on the collector server receives all collected events. Increase its maximum size to handle the volume from multiple source computers:

# Set ForwardedEvents log to 2 GB maximum
wevtutil sl ForwardedEvents /ms:2147483648

# Set to archive when full (auto-backup before clearing)
wevtutil sl ForwardedEvents /ab:true /rt:false

# Verify ForwardedEvents log configuration
wevtutil gl ForwardedEvents

Step 5: Monitor Subscription Health

Monitor the health of event forwarding subscriptions and verify source computers are actively sending events:

# Check subscription runtime status
wecutil gr Security-Events-All-Servers

# List all active source computers for a subscription
wecutil gr Security-Events-All-Servers | Select-String "ComputerName|LastHeartbeat|LastActivity|EventsReceived"

# PowerShell alternative for subscription status
$subscription = "Security-Events-All-Servers"
& wecutil gr $subscription

Source computers that have not connected to the subscription in more than 24 hours should be investigated — common causes are WinRM not running, firewall blocking port 5985, or the computer account not being in the Event Log Readers group.

Step 6: Query Collected Events with PowerShell

Query the centralised ForwardedEvents log for security analysis:

# Find all failed logon attempts across all monitored servers in the last 24 hours
Get-WinEvent -LogName ForwardedEvents | Where-Object {
    $_.Id -eq 4625 -and $_.TimeCreated -gt (Get-Date).AddHours(-24)
} | Select-Object TimeCreated, MachineName, @{N="Account";E={$_.Properties[5].Value}}, @{N="IP";E={$_.Properties[19].Value}} | Format-Table -AutoSize

# Count events per source computer to verify all servers are reporting
Get-WinEvent -LogName ForwardedEvents | Group-Object MachineName | Sort-Object Count -Descending | Select-Object Count, Name | Format-Table -AutoSize

Step 7: Automate ForwardedEvents Log Archival

Archive the ForwardedEvents log daily to prevent loss of historical data:

$archivePath = "E:EventLogArchiveForwardedEvents"
New-Item -ItemType Directory -Path $archivePath -Force | Out-Null
$archiveFile = Join-Path $archivePath "ForwardedEvents_$(Get-Date -Format 'yyyyMMdd').evtx"
wevtutil epl ForwardedEvents $archiveFile
Write-Host "Archived ForwardedEvents to: $archiveFile"

Summary

Windows Event Collector on Windows Server 2012 R2 provides a powerful, built-in mechanism for centralising event log collection without requiring additional software licensing. By using source-initiated subscriptions with carefully crafted XPath queries, administrators collect high-value security events — failed logons, account changes, privilege use — and critical system errors from all servers into a single ForwardedEvents log. This centralised view dramatically simplifies security monitoring, incident investigation, and compliance reporting compared to connecting to individual servers. Regular archival of the ForwardedEvents log ensures historical data is preserved for forensic investigations and audit purposes.