Docs / Windows Server / Set Up Windows Event Forwarding for Centralized Logging

Set Up Windows Event Forwarding for Centralized Logging

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 173 views · 3 min read

Windows Event Forwarding (WEF) collects Windows event logs from multiple servers to a central collector server. This provides centralized security monitoring, compliance auditing, and troubleshooting without installing third-party agents. This guide covers configuring WEF for enterprise log collection.

Architecture

  • Source computers: Windows servers that generate events
  • Collector server: Central server that receives and stores events
  • Subscriptions: Define which events to forward and from which sources
  • Transport: WinRM (HTTP 5985 or HTTPS 5986)

Configure the Collector Server

# Enable Windows Event Collector service
wecutil qc /q

# Or via PowerShell
Set-Service wecsvc -StartupType Automatic
Start-Service wecsvc

# Configure WinRM
winrm quickconfig -q

# Increase forwarded events log size (default is too small)
wevtutil sl ForwardedEvents /ms:4294967296  # 4GB

# Alternative: create a custom log
wevtutil cl ForwardedEvents
New-EventLog -LogName "SecurityForwarded" -Source "EventForwarding"

Configure Source Computers

# Enable WinRM on all source computers (via GPO recommended)
winrm quickconfig -q

# Add the collector to the Event Log Readers group on sources
# Via GPO: Computer Config > Preferences > Local Users and Groups
# Add CORP\CollectorServer$ to "Event Log Readers" group

# Or via PowerShell on each source:
Add-LocalGroupMember -Group "Event Log Readers" -Member "CORP\CollectorServer$"

# Configure firewall
New-NetFirewallRule -DisplayName "WinRM-HTTP" `
    -Direction Inbound -Protocol TCP -LocalPort 5985 -Action Allow

Create Subscriptions

# Security Events Subscription
$xml = @'

    SecurityEvents
    SourceInitiated
    Collect security events from all servers
    true
    http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
    Custom
    
        
            900000
        
    
    
        
                
                    
                        *[System[(EventID=4624 or EventID=4625 or EventID=4648 or
                        EventID=4672 or EventID=4720 or EventID=4722 or
                        EventID=4724 or EventID=4728 or EventID=4732 or
                        EventID=4756 or EventID=1102 or EventID=4688 or
                        EventID=4697 or EventID=4698 or EventID=4719 or
                        EventID=4946 or EventID=5140 or EventID=5145)]]
                    
                
                
                    
                        *[System[(Level=1 or Level=2)]]
                    
                
            
        ]]>
    
    false
    HTTP
    
        O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)
    

'@

$xml | Out-File "C:\temp\security-sub.xml" -Encoding UTF8
wecutil cs "C:\temp\security-sub.xml"

# Verify subscription
wecutil gs SecurityEvents
wecutil gr SecurityEvents

PowerShell Subscription Management

# Create subscription via PowerShell
# List all subscriptions
wecutil es

# Get subscription details
wecutil gs SecurityEvents

# Get runtime status (shows which sources are active)
wecutil gr SecurityEvents

# Retry subscription
wecutil rs SecurityEvents

# Delete subscription
wecutil ds SecurityEvents

# View forwarded events
Get-WinEvent -LogName ForwardedEvents -MaxEvents 50 | Format-Table TimeCreated, ProviderName, Id, Message

GPO Configuration for Sources

# Configure source computers via Group Policy
# Computer Config > Admin Templates > Windows Components > Event Forwarding

# Configure the collector server address
Set-GPRegistryValue -Name "Event Forwarding" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager" `
    -ValueName "1" `
    -Type String `
    -Value "Server=http://collector.corp.example.com:5985/wsman/SubscriptionManager/WEC,Refresh=60"

# Enable Windows Remote Management
Set-GPRegistryValue -Name "Event Forwarding" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" `
    -ValueName "AllowAutoConfig" -Type DWord -Value 1

Set-GPRegistryValue -Name "Event Forwarding" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" `
    -ValueName "IPv4Filter" -Type String -Value "*"

Key Security Events to Collect

Event IDDescriptionWhy Important
4624Successful logonTrack who accessed which server
4625Failed logonDetect brute force attacks
4648Logon with explicit credentialsDetect credential use
4672Admin logonTrack privileged access
4720User account createdDetect unauthorized accounts
4732Member added to groupTrack privilege escalation
1102Audit log clearedDetect evidence tampering
4688Process creationTrack command execution
4697Service installedDetect persistence mechanisms

Best Practices

  • Increase ForwardedEvents log size to at least 4GB for busy environments
  • Filter at the source: Only forward important events to reduce noise and bandwidth
  • Use source-initiated subscriptions — they scale better than collector-initiated
  • Monitor subscription health: Check wecutil gr regularly for disconnected sources
  • Archive forwarded events to a SIEM or log management solution for long-term retention
  • Enable command-line logging (Event ID 4688 with process creation detail) for security investigations

Was this article helpful?

Related Articles