≡ Menu

How to configure windows event forwarding in Windows 7/2008 – Part-1

The purpose of this article is to explain how event forwarding works, different types of event forwarding methods and step-by-step guide for implementing them.

In this part-1 of How to configure event forwarding in windows 7/2008, I will cover some basics about event forwarding, different components involved in the forwarding and their functionality.

Windows 7 and windows 2008 R2 OS supports forwarding event log message to a central defined server. The purpose of this is very simple, you have all required events in one place and you can do auditing, archival, or any other operation you want from single place. You need not depend on external scripts to collect windows event logs from different computers and place them at single place.

There are two main components involved in Event Forwarding.

1) Collector:

Collector is a windows computer which collects events logs from computers from your network and places locally. In other words, this is where all events are saved.

2) Forwarder/Source Computer:

This is a windows computer that forwards the events from local computer to a central computer which is designated as Collector.

The definition of source computer and collector are pretty clear and I believe there is no need to explain them in details. If you are still in doubt, the below picture should definitely clarify that.

Now we know what is source computer and what is a collector computer in event forwarding. The next question you might get is, whether source computer will initiate the event forwarding or the collector will do that. Based on which component is initiating the event forwarding request, the windows event log forwarding is divided into two types. They are called subscriptions.

1) Collector initiated subscription:

In this type of subscription, the collector will go and ask the remote computer to send events to it. It is the job of collector to frequently poll the source computers and get events logs from them. This kind of subscription is best suited when you have limited set of computers. This doesn’t scale well if the source computer base increases.

2) Source initiated subscription:

In this type of subscription, the source computer will send the events logs to collector computer. The job of the collector computer is to just save whatever the source computer sends.

For either collector initiated forwarding or source initiated forwarding a subscription needs to be created at the collector side. A subscription is nothing but a configuration which tells you what eventlogs/events ID should be forwarded. Also the destination of log of the forwarded events will be configured in subscription.

To make event forwarding work, the collector and source computer should be configured do that. I will cover this in detail when I talk about each type of subscription in my next posts.

Another information that is worth sharing is, what type of operating systems can act as source computer and what type of operating systems can play collector role.

Source Computer:

  1. Windows XP with Service Pack 2 (SP2)
  2. Windows Server 2003 with Service Pack 1 (SP1)
  3. Windows Server 2003 with Service Pack 2 (SP2)
  4. Windows Server 2003 R2, Windows Vista
  5. Windows Vista with SP1
  6. Windows 7
  7. Windows Server 2008
  8. Windows 2008 R2

Collector Computer:

  1. Windows Vista with SP1
  2. Windows 7
  3. Windows Server 2008
  4. Windows 2008 R2

One point to note here is, WS-Management 1.1 is not installed by default for computers running on Windows XP with SP2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, or Windows Server 2003 R2, so you must install WS-Man 1.1 to use these platforms as event sources before you set up a source-initiated event subscription. For more information about how to install, WS-Management 1.1, see http://go.microsoft.com/fwlink/?LinkId=100895.

In my next posts I will talk about how to configure source initiated subscription and collector initiated subscription in details.