Search another article?
Centralizing Windows Logs (Forwarded Events)
You can use the tools in this article to centralize your Windows event logs from multiple servers and desktops. By properly administering your logs, you can track the health of your systems, keep your log files secure, and filter contents to find specific information. It is possible for a Windows server to forward its events to a collector server. In this scenario, the collector server becomes a central repository for Windows logs from other servers (called event sources) in the network. The stream of events from a source to a collector is called a subscription. This procedure demonstrates how to set it up. These steps work on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2019. We are using two Active Directory Domain–joined Windows Server 2012 systems. The domain name is mytestdomain.com and both machines are registered with the domain.
Enable the Windows Remote Management Service
Windows Remote Management (WinRM) is a protocol for exchanging information across systems in your infrastructure. You must enable it on each of your source computers to exchange log files.
- Remotely log into the source computer (MYTESTSQL) as a local or domain administrator.
- Enable Windows Remote Management Service from a Command Prompt:
winrm quickconfig
If it is already running, a message similar to this example is displayed.
Configure the Windows Event Collector Service
You must enable the Windows Event Collector Service on your collector server to allow it to receive logs from your sources.
- Remotely log into the collector computer (MYTESTSERVER) as a local or domain administrator.
- Configure the Windows Event Collector Service from a Command Prompt:
wecutil qcin
If prompted like the example, press y
Configure the Event Log Readers Group
By default, certain logs are restricted to administrators. This may cause problems when receiving logs from other systems. To avoid this, you can grant access to the collector computer by adding it to the Event Log Readers group.
- Go back to the source computer (MYTESTSQL).
- Open Server Manager.
- Open Computer Management.
- Expand Local Users and Groups node from the Navigation pane and select Groups.
- Double-click Event Log Readers.
- Click Add to open the Select Users, Computers, Service Accounts, or groups dialog
- Click Object Types.
- Check Computers and click OK.
- Enter MYTESTSERVER as the object name and click Check Names. If the computer account is found, it is confirmed with an underline.
- Click OK twice to close the dialog boxes.
Configure Windows Firewall
If the source computer is running Windows Firewall, ensure it allows Remote Event Log Management and Remote Event Monitor traffic.
Create a Subscription
Subscriptions define the relationship between a collector and a source. You can configure a collector to receive events from any number of sources (a source-initiated subscription), or specify a limited set of sources (a collector-initiated subscription). In this example, we create a collector-initiated subscription since we know which computer logs we want to receive.
- Start the Event Viewer application on the collector server MYTESTSERVER.
- Select Subscriptions from the Navigation pane
- Click Create Subscription in the Actions pane.
- On the Subscription Properties, enter the following as shown in the example:
Subscription name: MYTESTSQL_EVENTS
Description: Events from remote source server MYTESTSQL
Destination log: Forwarded Events
Select Collector initiated and click Select Computers to open the Computers dialog.
- Click Add Domain Computers.
- Enter MYTESTSQL as the object name and click Check Names. If the computer is found, it is confirmed with an underline.
- Click OK.
- Click OK to return to the Subscription Properties.
- Click Select Events to open the Query Filter and enter the following to set the remote server to forward all application events from the last 24 hours:
Logged: Last 24 hours
Check all Event levels
Select By log
Event logs: Select Application from the drop-down list
- Click OK to return to the Subscription Properties.
- Click Advanced to open the Advanced Subscription Settings and enter the following:
Select Machine Account
Select Minimize Latency
Protocol: HTTP
Port: 5985
- Click OK to return to the Subscription Properties.
- Click OK to close.
The Subscription node in the collector computer event viewer now shows the new subscription.
Verify Events on Collector Computer
Select Forwarded Events from the Navigation pane on the collector computer.
The Computer column in the Details pane indicates the events are from the remote computer MYTESTSQL.MYTESTDOMAIN.COM. You can enable or disable the collector subscription by right-clicking on the subscription and choosing Disable. The status of the subscription is then shown as disabled in the main window. An active collector subscription does not mean it is succeeding. To see if the collector can connect to the source, right-click on the subscription and select Runtime Status. In this example, the collector can’t connect to the source. By default, it retries every five minutes.
If all is OK, Subscription Runtime Status shows a green tick with an active status.
Create a Custom View (Optional)
Once the events are forwarded, you can create custom views to see the consolidated events. For example, you might create a custom view for error events. This example creates a custom view for SQL Server–related messages. A collector computer may host thousands of records from dozens of servers. Using a custom view enables you to create order from an overload of information.