Configuring centralized receipt of events from Windows devices using the Windows Event Collector service

The Windows Event Collector service allows you to centrally receive data about events on servers and workstations running Windows. You can use the Windows Event Collector service to subscribe to events that are registered on remote devices.

You can configure the following types of event subscriptions:

• Source-initiated subscriptions. Remote devices send event data to the Windows Event Collector server whose address is specified in the group policy. For details on the subscription configuration procedure, please refer to the Configuring data transfer from the event source server section.
• Collector-initiated subscriptions. The Windows Event Collector server connects to remote devices and independently gathers events from local logs. For details on the subscription configuration procedure, please refer to the Configuring the Windows Event Collector service section.

Configuring data transfer from the event source server

You can receive information about events on servers and workstations by configuring data transfer from remote devices to the Windows Event Collector server.

Preliminary steps

1. Verify that the Windows Remote Management service is configured on the event source server by running the following command in the PowerShell console:

   winrm get winrm/config

   If the Windows Remote Management service is not configured, initialize it by running the following command:

   winrm quickconfig

2. If the event source server is a domain controller, make the Windows logs available over the network by running the following command in PowerShell as an administrator:

   wevtutil set-log security /ca:’O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

   Verify access by running the following command:

   wevtutil get-log security

Configuring the firewall on the event source server

To enable the Windows Event Collector server to receive Windows log entries, inbound connection ports must be opened on the event source server.

To open ports for inbound connections:

1. On the event source server, open the Run window by pressing the key combination Win+R.
2. In the opened window, type wf.msc and click OK.

   The Windows Defender Firewall with Advanced Security window opens.

3. Go to the Inbound Rules section and click New Rule in the Actions pane.

   The New Inbound Rule Wizard opens.

4. At the Rule type step, select Port.
5. At the Protocols and ports step, select TCP as the protocol. In the Specific local ports field, indicate the relevant port numbers:
   • 5985 (for HTTP access)
   • 5986 (for HTTPS access)

   You can indicate one of the ports, or both.

6. At the Action step, select Allow connection (selected by default).
7. At the Profile step, clear the Private and Public check boxes.
8. At the Name step, specify a name for the new inbound connection rule and click Done.

Configuration of data transfer from the event source server is complete.

The Windows Event Collector server must have the permissions to read Windows logs on the event source server. These permissions can be assigned to both the Windows Event Collector server account and to a special user account. For details on granting permissions, please refer to the Granting user permissions to view the Windows Event Log.

Configuring the Windows Event Collector service

The Windows Event Collector server can independently connect to devices and gather data on events of any severity.

To configure the receipt of event data by the Windows Event Collector server:

1. On the event source server, open the Run window by pressing Win+R.
2. In the opened window, type services.msc and click OK.

   The Services window opens.

3. In the list of services, find and start the Windows Event Collector service.
4. Open the Event Viewer snap-in by doing the following:
   1. Open the Run window by pressing the key combination Win+R.
   2. In the opened window, type eventvwr and click OK.
5. Go to the Subscriptions section and click Create Subscription in the Actions pane.
6. In the opened Subscription Properties window, specify the name and description of the subscription, and define the following settings:
   1. In the Destination log field, select Forwarded events from the list.
   2. In the Subscription type and source computers section, click the Select computers button.
   3. In the opened Computers window, click the Add domain computer button.

      The Select computer window opens.

   4. In the Enter the object names to select (examples) field, list the names of the devices from which you want to receive event information. Click OK.
   5. In the Computers window, check the list of devices from which the Windows Event Collector server will gather event data and click OK.
   6. In the Subscription properties window, in the Collected events field, click the Select events button.
   7. In the opened Request filter window, specify how often and which data about events on devices you want to receive.
   8. If necessary, in the <All event codes> field, list the codes of the events whose information you want to receive or do not want to receive. Click OK.
7. If you want to use a special account to view event data, do the following:
   1. In the Subscription properties window, click the Advanced button.
   2. In the opened Advanced subscription settings window, in the user account settings, select Specific user.
   3. Click the User and password button and enter the account credentials of the selected user.

Configuration of the Event Collector Service is complete.

To verify that the configuration is correct and event data is being received by the Windows Event Collector server:

In the Event Viewer snap-in, go to Event Viewer (Local) → Windows logs → Forwarded events.