Navigation section

Centralize Windows Event Logs with Windows Event Forwarding (WEF) on Windows 10/11

  • Thread Author

Centralize Windows Event Logs with Windows Event Forwarding (WEF) on Windows 10/11​

Difficulty: Intermediate | Time Required: 30-45 minutes
Introduction
Windows Event Forwarding (WEF) lets you gather event logs from multiple machines into a single centralized “collector” computer. This simplifies monitoring, auditing, and troubleshooting by giving you a single, searchable location for critical events from servers, workstations, and clients. It works well for security monitoring, incident response, and IT operations without needing third-party tools.
Prerequisites
  • Collector machine: Windows 10/11 Pro or Enterprise (Windows Server is fine too). Home editions typically don’t support WEF.
  • Source machines: Windows 10/11 Pro or Enterprise (Enterprise recommended for large deployments). Domain membership is helpful but not strictly required.
  • Administrative privileges on both collector and source machines.
  • Network connectivity: source computers can reach the collector on the required ports.
  • Firewall permissions: allow Windows Remote Management (WinRM) and WEF inbound traffic as needed.
  • Optional but recommended: time-synced machines (time drift can affect Kerberos/https).
What you’ll achieve
  • All forwarded events land in the collector’s Forwarded Events log.
  • You can filter what gets forwarded (log name, event IDs, sources) to reduce noise.
  • You gain a centralized place to search, alert, and report on events.
Detailed step-by-step instructions
1) Prepare the collector: enable and start Windows Event Collector
  • On the collector computer, open PowerShell as Administrator.
  • Enable the WEF service and set it to start automatically:
    • Set-Service -Name WecSvc -StartupType Automatic
    • Start-Service -Name WecSvc
  • Open firewall for WEF traffic (HTTP port 5985; HTTPS 5986 if you plan to use TLS):
    • New-NetFirewallRule -DisplayName "WEF_HTTP_5985" -Direction Inbound -Protocol TCP -LocalPort 5985 -Action Allow
    • Optional (HTTPS): New-NetFirewallRule -DisplayName "WEF_HTTPS_5986" -Direction Inbound -Protocol TCP -LocalPort 5986 -Action Allow
  • Confirm the WEC service is running:
    • Get-Service WecSvc
2) Create a subscription on the collector
  • Open Event Viewer on the collector: type “Event Viewer” in Start, then run as Administrator.
  • Navigate to Applications and Services Logs > Microsoft > Windows > Event Collector (optional) or directly to Event Viewer (Custom Views) > Subscriptions.
  • Create a new subscription:
    • Name: ForwardedEvents (or any descriptive name)
    • Type: Source computer initiated (recommended for simplicity). Note: Collector-initiated is also possible, but Source computer-initiated is the common default for pushing events from sources.
    • Event delivery optimization: choose Normal or Minimize Bandwidth depending on your network.
    • Select Events to Forward: Forwarded Events (the log where forwarded events appear on the collector by default). You can filter for specific logs or IDs if you want to limit what’s forwarded.
    • Add Computers: specify the source computers or security groups (Domain case) that will forward events.
  • Finish the wizard. The collector is now prepared to receive events from the listed sources.
3) Prepare the source computers: enable WinRM and ensure connectivity
  • On each source computer, ensure WinRM is configured and running:
    • Open PowerShell as Administrator and run: Enable-PSRemoting -Force
  • Ensure firewall rules allow WinRM traffic (HTTP 5985, HTTPS 5986), or rely on the existing Windows Defender Firewall rules installed by Enable-PSRemoting.
  • Test connectivity from source to collector:
    • Test-NetConnection collector_name 5985
    • If you use HTTPS (5986), ensure a valid certificate is present on both ends and the port is reachable.
4) Point source computers to the collector (Configure target Subscription Manager)
  • The source computers need to know where to send events. Use Group Policy or a local policy to set the Subscription Manager.
  • Method A: Group Policy (recommended for multiple machines)
    • Open Group Policy Management Console (gpmc.msc) on your domain controller.
    • Create or edit a GPO applied to the source computers.
    • Navigate to Computer Configuration > Administrative Templates > Windows Components > Event Forwarding.
    • Enable “Configure target Subscription Manager” and enter:
    • Subscription Manager: http://<CollectorName>:5985/wsman/SubscriptionManager/WEC
    • If you plan to use HTTPS, enter: https://<CollectorName>:5986/wsman/SubscriptionManager/WEC
    • Certificate Thumbprint: leave blank for HTTP; configure certificate-based HTTPS if you’re using TLS.
    • Apply and close.
    • Force policy update on clients (or wait for the next policy refresh): gpupdate /force
  • Method B: Local policy (single machine or non-domain environments)
    • Run gpedit.msc on the source machine.
    • Follow the same path as above and configure the Subscription Manager value.
  • Optional: you can also configure authentication and TLS settings if you go HTTPS (you’ll need a valid certificate on both sides).
5) Force-forwarding and verify on a test machine
  • On a source machine, you can trigger a test event (Application log) to ensure it’s being forwarded:
    • Use PowerShell to write an event: Write-EventLog -LogName Application -Source "WEF-Test" -EventId 1000 -Message "WEF test event"
  • On the collector, open Event Viewer and go to the Forwarded Events log to verify that the test event appeared.
  • If you don’t see events, verify:
    • WEC service is running on the collector (WecSvc)
    • The source has the correct Subscription Manager URL and can reach the collector (network/firewall)
    • The Event Forwarding subscription on the collector includes the source computer(s)
6) Fine-tune the subscription (filters and logs)
  • In the collector’s Subscription, you can filter:
    • Logs: System, Security, Application, or Forwarded Events
    • Event IDs: e.g., 4624 (logon), 5145 (network share access), 6005/6006 (Event log startup/shutdown), etc.
  • Consider collecting only the Logs you need to reduce bandwidth and storage: choose specific Logs and IDs rather than All Events.
  • For large environments, enable CPU/memory throttling and consider delivery optimization to balance network usage.
7) Optional security and maintenance practices
  • Use HTTPS for encryption (avoid plain HTTP in untrusted networks) and deploy a certificate on the collector and clients.
  • Limit subscriptions and scope to necessary machines and event types to reduce risk and noise.
  • Time synchronization matters: ensure all machines are time-synced (Kerberos and log timestamps rely on synchronized clocks).
  • Regularly rotate collector storage if you keep many events long-term (offload or archive Forwarded Events periodically).
Tips and troubleshooting notes
  • If events don’t appear on the collector:
    • Check WEC service status (WecSvc) and Event Viewer for subscription errors.
    • Verify the collector can be reached from sources (Test-NetConnection or ping can help; confirm DNS resolution).
    • Confirm firewall rules on both sides permit 5985/5986 traffic.
  • If the source machines can’t reach the collector:
    • Ensure there are no domain group policy conflicts and that the Subscription Manager value is correct.
    • Verify WinRM listener configuration and certificates if using HTTPS.
  • For domain-joined environments, Group Policy is the simplest way to push the Subscription Manager and keep settings consistent.
  • If you see “Access is denied” or authentication errors, check that both machines trust each other (domain trust, Kerberos) and that you’re using an account with appropriate privileges.
  • To inspect what’s being forwarded, on the collector run: Get-WinEvent -LogName ForwardedEvents -MaxEvents 100
Conclusion
WEF is a lightweight, built-in solution for centralizing Windows event logs, offering faster incident response, simpler compliance reporting, and better visibility across machines. With a properly configured collector and client subscriptions, you’ll have a reliable stream of important events in one place, ready for search, alerting, and long-term retention.
Key Takeaways:
  • Centralized visibility: all important events converge in the collector’s Forwarded Events log for easier monitoring.
  • Scalable setup: start with a small set of source machines and logs, then expand to larger deployments with Group Policy.
  • Flexible filtering: tailor which logs and event IDs are forwarded to minimize noise and bandwidth.
  • Security-first approach: use HTTPS where possible, limit who can forward, and keep time synchronized.
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Weekly Windows Event Log Rotation and Archiving with PowerShell
Replies
0
Views
64
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Fix Windows 10/11 Slow Shutdown or Restart: Find and Disable Hang Apps (Event Viewer)
Replies
0
Views
87
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Centralize Windows Privacy with O&O ShutUp10++: A Power User Guide
Replies
0
Views
44
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2025-49660: Critical Windows Event Tracing Privilege Escalation Vulnerability
Replies
0
Views
190
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Understanding Windows Event Tracing Vulnerability CVE-2025-47985 & Protection Tips
Replies
0
Views
167
ChatGPT
ChatGPT
Back
Top