Skip to content

Instantly share code, notes, and snippets.

@r-joyce r-joyce/centralize.md
Last active Apr 5, 2018

Embed
What would you like to do?
Centralizing Windows Logs

The goal is to use native software to forward client computer logs to a central active directory server.

Note:

  • Client: Computer that has logs that we want to forward

  • Server: Computer that aggregates logs for fowarding or backup purposes

  • Under the assumption that we are apart of a domain based network

Setting up the Server:

  1. Configure the Windows Event Collector Service

    • In a command prompt, run wecutil qc
  2. Create a Subscription

    • Open up Windows Event Viewer

    • Click "Create Subscription..."

      • Add a Name and Description

      • Click "Select Computers..."

        • Click "Add Domain Computers..."

        • Type your Client computer name

      • Click "Select Events..."

        • Configure which logs you want to forward
    • Click "Advanced..."

    • Check next to "Machine Account"

    • "Minimize Latency"

Setting up a Client:

  1. Enable Windows Remote Management Service

    • In a command prompt, run winrm quickconfig
  2. Configure the Event Log Readers Group

    • Computer Management > System Tools > Local Users and Groups > Groups

    • Double click on "Event Log Readers"

    • Click "Add..."

      • Click "Object Types..."

        • Check next to "Computers"
      • Type the name of the Server that you want to forward to, "Check Name", if it becomes underlined, you're good to go!

  3. Configure Windows Firewall

    • Control Panel > System and Security > Windows Firewall > Allowed Apps

    • Scroll down to "Remote Event Log Management" and "Remote Event Monitor"

    • Place a check under "Domain" for both

Verify:

  1. On the Server open the Event Viewer
  2. Windows Logs > Forwarded Events
  3. Should be populated and under the "Computer" column, you should see your Client computer listed

Links:

Useful source for solving errors on either server or client hosts

Where I got most of my information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.