Understanding Windows Event Forwarding

Russell Smith by   04.10.2017   General

Understanding Windows Event ForwardingThe DMTF WS-Eventing standard was first introduced in Windows Server 2008 so that system administrators could centralize Windows event logs. As part of the open Web Services-Management (WS-Man) protocol that’s included in the Windows Management Framework (WMF), event forwarding provides a means to read and store event logs from Windows devices in one place.

Windows Event Forwarding (WEF) is agentless, so you don’t need to install any additional software to enable it, all the required technology is built-in to the operating system. At least one server must be set up as a collector, where subscriptions are configured to pull the required logs from other devices. While agents aren’t needed, Windows Remote Management (WinRM), and associated firewall exceptions, must be enabled on participating devices.

If the participating devices are in a workgroup, i.e. not joined to an Active Directory (AD) domain, then some extra configuration will be required to get WEF to work. Pull subscriptions only require one or more collectors to be configured, but source-initiated ‘push’ subscriptions require each device that will push logs to a collector, be configured using Group Policy.

Pull versus Push

Collectors pull logs from servers using a domain user account that’s added to the Event Log Readers group. Pull event forwarding is easy to set up, because only the collector needs to be configured. But collector-initiated event forwarding doesn’t scale well, and can be inefficient as the collector must contact all devices even if they don’t have any new events to forward.

Push event forwarding requires every device to be configured using Group Policy, not just the collector, but additionally supports HTTPS for securing event forwarding in a workgroup scenario. Remember, that NTLM exchanges between workgroup computers don’t provide the same level of authentication security as Kerberos in an AD environment.

Custom Forwarding Logs

Collectors receive events from subscribed servers in the Windows Event log called Forwarded Events. That might suffice in small environments, but it’s likely that you’ll want to organize collected events in to separate logs. To create these logs, download the Windows Software Development Kit (SDK) for the version of Windows you’re using, and compile an event DLL, using the Manifest Generator app, to add a custom event channel to the collector.

Collecting Events

Once you’ve decided that you’d like to set up WEF, it’s important to determine what are the most important events to collect, and from which devices. If you plan to collect lots of event data, make sure you have enough disk space and that Windows is configured not to purge logs too quickly.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.