Windows Event forwarding requires the setup of forwarding computers and a collecting computer as we have seen in Managing Windows Events. In this post we start by setting up a typical forwarding computer and proceed to the collecting computer setup in another post. Let’s assume that we are collecting events from a Windows 2008 server named Win2k8Web, hence our first forwarding computer is Win2k8Web.
To set up the forwarding computer follow these steps:
- We need to configure the Windows Remote Management service first. Log on to Win2k8Web, open an elevated command prompt and type: winrm quickconfig
Type Y to the requested changes. These depend on the current configuration but WinRM would need:
- To start the WinRM service and set it to auto-start.
- To grant administrative rights when the computer is not part of a domain
- To allow remote access
- To create a WinRM listener on HTTP://* to accept WS-Man requests by creating a firewall exception – Note, this firewall exception does not apply to Public networks.
- Next, we need to add the computer account of the collecting computer to the local Event Log Readers group. Assuming that the collecting computer (my admin workstation in the domain env1.testlab) is named env1client01, then at an elevated command prompt on Win2k8Web type: net localgroup "Event Log Readers" [email protected] /add
In the above procedure we have configured the Win2k8Web host as a forwarding computer where it allows the collecting computer env1client001 to have remote access and collect events. In the post to follow, we will configure the collecting computer.