9/25/22, 3:10 PM How To - Set up Central Event Log Monitoring on Windows Server - Windows Forum - Spiceworks

Login
Join

Home
>
Windows
>
General Windows
>
How-tos

How To - Set up Central Event Log Monitoring on Windows Server

patcutrone

This person is a verified professional.

Verify your account
to enable IT peers to see that you are a professional.
Last Updated:
Jan 14, 2019
4 Minute Read
Spice (31)
Reply (5)
Subscribe
Share
A good first step to identifying issues on your network and in your environment in general is to look at the
Event Logs. Being a busy (and cheap) IT person, it's hard to find the time to log onto every server individually
and impossible to get funding for a big log monitoring solution.

Central Event Log Monitoring is free, takes only a few minutes to set up and will let you view event logs for all
your servers in one place.

10 Steps total
Step 1: Determine where all your logs will go
This 'collector' server should be running Windows Server (mine runs 2012 R2) and it should NOT be a DC -
Domain controllers require special configurations and will not work well (or at all) for this task.

Step 2: Configure the Windows Event Collector

Service

Expand
These steps need to be done only once - when you first set up the server to collect all the logs.

Start by logging into your 'collector' machine as a domain administrator and opening a command prompt.

At the prompt type wecutil qc and then press y to confirm service start up mode will be changed to Delay-
Start.

You should receive a message stating that the Windows Event Collector Service was configured Successfully

Step 3: Create a Subscription

https://community.spiceworks.com/how_to/159134-how-to-set-up-central-event-log-monitoring-on-windows-server 1/8
9/25/22, 3:10 PM How To - Set up Central Event Log Monitoring on Windows Server - Windows Forum - Spiceworks

Expand
This step can be done either before or after you configure the 'source' computers (the systems which will be
sending the logs). For ease, I chose to do all the steps required on the collector first.

To Create a Subscription, start the Event Viewer from Computer Management

From the expanded Event Viewer menu on the left click the Subscription folder.

From the Action menu in the right pane choose the Create Subscription link

--> a. Provide a name and a description for the subscription.

--> b. Leave the Destination Log field set to the default Forwarded Events

--> c. Choose the Collector Initiated radio button and then click Select Computers

--> d. Click on the Add Domain Computers button then type the name of the source computer in the box and
click Check names to confirm, then OK.

--> e. Click the Test button to test the connection if required.

--> f. Configure the recorded events:

------> i. Click the Select Events button in the Events section to bring up the query window.

------>ii. Set Logged to Last 7 days and select the 'critical, 'warning' and 'error' Event Types (or as desired)

------> iii. To forward all application events that occurred in the last 7 days, Select the by log option and check
the boxes next to all Windows logs and only the Hardware Events under Applications and Services and then
click OK to return to the Subscription Properties dialog box. (These are my choices, you may choose what
works for your environment).

------> iv. Click on Advanced then in the Advanced Subscription settings dialog box, select Machine Account
and tick the Minimize Latency radio button then click OK twice to return to the event viewer.

Step 4: The new subscription should now be visible

at the bottom of the "Event Viewer" folder.

Expand

Step 5: Configure Sources

https://community.spiceworks.com/how_to/159134-how-to-set-up-central-event-log-monitoring-on-windows-server 2/8
9/25/22, 3:10 PM How To - Set up Central Event Log Monitoring on Windows Server - Windows Forum - Spiceworks
On each server which will be sending logs, complete the below steps. Please review the additional steps to
configure a DC - some of them are different.

Step 6: Enable Windows Remote Management

Service.

Expand
--> Log into the 'source' computer as a domain admin and open a command prompt.

-->On the command line type winrm quickconfig - If the service is already running, you will receive a message
in the window confirming.

Step 7: Configure the Event Readers Group For a

Standard Server

Expand
For a Standard Server:

--> From Computer Management open Local Users and Groups

--> Select the 'Groups' folder and expand the Event Log Readers group.

-->Click Add. In the Select Users, Computers, Service Accounts, or Groups dialog box, change the Object Type
to Computers and click OK.

--> Search for and add the 'collector' computer to the group, then click Apply and OK to return to the
Computer Management window.

Step 8: Configure the Event Readers Group For a

DC

https://community.spiceworks.com/how_to/159134-how-to-set-up-central-event-log-monitoring-on-windows-server 3/8
9/25/22, 3:10 PM How To - Set up Central Event Log Monitoring on Windows Server - Windows Forum - Spiceworks

Expand
If the source computer is a domain controller then the Local Users and Groups option won't appear in
computer Management. Use the below to configure the Event Readers Group in Active Directory Users and
Computers instead:

--> Access Active Directory Users and Computers.

--> Expand the Domain structure then click on the Builtin folder.

-->Within the Builtin folder, double click on the Event Log Readers group on the center pane of the window.

--> Click on the Members tab then use the Add button.

--> In the Select Users, Computers, Service Accounts, or Groups dialog box, change the Object Type to
Computers and click OK.

--> Search for and add the 'collector' computer to the group, then click the Apply then OK buttons to return to
the Active Directory window

Step 9: Configure the Windows Firewall if required.

Expand
-- > Open the Control Panel in Category view.

--> Click the System and Security category then the Windows Firewall link.

--> Click the Allowed apps link on the left and add the Remote Event Log Management and Remote Event
Monitor from the list at the Domain level then click on OK.
----> It may be required to click the Change Settings
button in order to be able to make changes to the list.

Step 10: Confirm New Logs are visible.

After configuring the sources, return to the collector and view the Forwarded Events to ensure your new logs
are arriving. It may take up to 15 minutes for the forwarding to occur.

I wasn't able to get enough detail from any single article so I wrote this guide for my environment using what i
was able to find online. I have put those other articles below as they were instrumental in helping me set this
up.

https://community.spiceworks.com/how_to/159134-how-to-set-up-central-event-log-monitoring-on-windows-server 4/8
9/25/22, 3:10 PM How To - Set up Central Event Log Monitoring on Windows Server - Windows Forum - Spiceworks
I hope I can help others who are having trouble getting their log forwarding set up ;)

References
1st article
2nd article

Related Discussion Groups:

General Windows
Windows Server

Follow

Pat Cutrone

This person is a verified professional.

Verify your account
to enable IT peers to see that you are a professional.
patcutrone22 years in IT

254
Contributions
1
Best Answers

Main Areas of Contribution:

Roundups |
Snap! |
Cyber Security |
SpiceWorld |
General IT Security

5 Comments

dimforest

This person is a Verified Professional.

Verify your account
to enable IT peers to see that you are a professional.
Jan 14th, 2019 at 9:31pm
Great write up! I'll give this a go. Thanks again.

D3rl
Mar 8th, 2019 at 6:23am
Thanks for the info! Glad was able to bump into this.

Jason1121

https://community.spiceworks.com/how_to/159134-how-to-set-up-central-event-log-monitoring-on-windows-server 5/8
9/25/22, 3:10 PM How To - Set up Central Event Log Monitoring on Windows Server - Windows Forum - Spiceworks
This person is a Verified Professional.
Verify your account
to enable IT peers to see that you are a professional.
Mar 14th, 2019 at 4:21pm
Nice how to.

For anyone that's interested there's a presentation here from Jessica Payne that goes through similar steps.
Takes a while to get to the actual setup but it's worth a listen.

https://web.archive.org/web/20171212201838/https://channel9.msdn.com/Events/Ignite/Australia-
2015/INF327

The volume is extremely low. I ended up downloading it and using VLC to pump the volume up to 200%.

Anthony Tanjoco

This person is a Verified Professional.

Verify your account
to enable IT peers to see that you are a professional.
Mar 14th, 2019 at 4:54pm
Hey Pat,

Now that you've had this up for a bit -how do you like it now?

-AT

onecogmind

This person is a Verified Professional.

Verify your account
to enable IT peers to see that you are a professional.
Sep 14th, 2022 at 1:40am
There have been several updates to Windows Security that impact the WinRM. I do not think this
functionality works anymore. Has anyone tried this recently?

Add your comments on this How-to! Join the IT Network or Login.

Back to Top

Read these next...

Is it time to jump ship? Tech Gadget that You Wish Snap! ManageEngine vulns,
Potentially new career field? Would Make a Comeback! Exchange Servers hacked,
IT & TECH CAREERS WATER COOLER Group Policies, NyQuil, etc.

https://community.spiceworks.com/how_to/159134-how-to-set-up-central-event-log-monitoring-on-windows-server 6/8
9/25/22, 3:10 PM How To - Set up Central Event Log Monitoring on Windows Server - Windows Forum - Spiceworks
Sorry for making this a long one. It's been
In accordance SPICEWORKS ORIGINALS
brewing for a while though.I have been working
at an MSP for nearly eight years. I wish I could
say it has been a smooth ride. I had to take a
break from work for a semester of college due
to a panic attack I ha...
benchmarking software
HARDWARE
I've got a funny issue with a brand new HPE
DL380 G10+ It's ridiculously slow. I've looked
up. ...
through the usual things available in the Task
Manager / Performance and there's nothing
jumping out at me.  CPU / Disk / Network /
Memory - all look unstressed. So...
Hanwha or Axis IP Cams (TCO)?
SECURITY
Good morning all,I'm working on a project to
rip and replace our existing surveillance cam
infrastructure. I've narrowed my brand focus to
either Hanwha or Axis and wonder if anyone
here can offer insight as to which is better in
regard to TCO (total cost...
How to change resource
name?
https://community.spiceworks.com/how_to/159134-how-to-set-up-central-event-log-monitoring-on-windows-server
Stranger Things Posts: Episode 2
with my post about the tech items we have now Your daily dose of tech news, in brief.
that we did not have in the 80’s, I am curious
what tech has disappeared that you would love
to see make a comeback? I know that I will
probably get a lot of r...
Spark! Pro series – 23rd
September 2022
SPICEWORKS ORIGINALS
Procedure to mantain Welcome to your Friday Spark!  I hope it
hostname computers brightens your day, enlightens you and
educates!  And... Today is International Sign
BEST PRACTICES & GENERAL IT
Languages Awareness Day.  Just a reminder, if
Hello all,I have 200 computers in my you are reading the Spark!, Spice it
organization. When a user gets out of the
company I use to change the computer's
hostname .It means that in Active Directory I
have a lot of obsolete computers.Which is the
correct behaviour ? Having only a hostname
fo...
Imap vs Pop
COLLABORATION
I can't seem to find where someone has asked
this exact questions so here it goes.I'm new to
IT and have been basically thrown into a
Are There Any Unique Security system admin type role. (labor shortage)This
organization has been using pop3 for years.
Benefits to Active Directory?
They have email accounts that ar...
SECURITY
I asked a similar question a few weeks back in a
different group and got some good responses,
but I've got a more specific question after
reading feedback:Are there any security
benefits unique to Active Directory/other
central management vs. using "unman...
Snap! A new record-setting
DDoS, Credential stuffing, AD
solutions, GPU prices
SPICEWORKS ORIGINALS
Your daily dose of tech news, in brief.
7/8
9/25/22, 3:10 PM How To - Set up Central Event Log Monitoring on Windows Server - Windows Forum - Spiceworks
COLLABORATION

Hey All,Could use some help here please.I have

a hybrid environment O365. I need to change
the name of a resource (conference room) but I
am having difficulties.What I have tried:-I
logged into my O365 "Exchange Admin Center"
portal, selected the resource...

Load More

https://community.spiceworks.com/how_to/159134-how-to-set-up-central-event-log-monitoring-on-windows-server 8/8