Cyber Security

Active Directory: Configuring Event Log Subscriptions (Forwarding)

Event Viewer enables you to view events and logs on your computer. And troubleshooting an issue might require to view log files from other remote computers. Event Log Subscriptions comes into play … Subscription enables you to save events from remote computers. In this article I am going to configure a collector and a target system.

Suppose you want to collect event log events from your domain controller on your client computer. Therefore your client computer is the collector und your domain controller is the target.

Client Computer (Collector)

Log on to your client computer (Windows Vista and above) with an account which is member of the domain admins group. Open Windows PowerShell and type wecutil qc. Hit enter.

wecutil qc


This will start the Event Collector Service.

Server Computer (Target System)

On Windows Server 2012 and 2016 Remote Management is enabled by default. Just to make sure it’s enabled, type

Configure-SMRemoting.exe -GET


If Remoting is not enabled you can simply enable it by running

Configure-SMRemoting.exe -ENABLE


Before we go to the next step open Server-Manager and make sure Remote Management is set to Enabled.


Now we have to add the collector’s computer account to the server’s Event Log Reader Group. You can do it either in cmd or PowerShell.

Add-ADGroupMember -Identity "Event Log Readers" -Members "client01$"


net localgroup "Event Log Readers" sid-500\client01$ /add


This will add client01 to the Event Log Readers Group. We are now ready to configure the main part.

Configuring Event Log Subscriptions

Log on to your collector computer (Windows 10). Open Event Viewer (eventvwr). Click Subscriptions and select Create Subscription.


Enter a Subscription Name and click on Select Computers.


Click Add Domain Computers and type the computer name of your target system. It makes sense to test the connection before continue.



Next click Select Events.


Define a Query Filter. Select the events you want to collect.


Click OK.

Testing the functionality of Event Log Subscriptions

Wait a few minutes and do something on your target system. For example, restart the computer to trigger event log entries. Then go back to your client system and click on Windows Logs. Select Forwarding Events and review the logs of your target computer.


Nice. This completes the forwarding configuration.

Configure Advanced Settings

But there’s more. You can configure Bandwith, Latency and more … Go back to your recently configured subscription and double-click on it. Select Advanced.


Pay attention to the Event Delivery Optimization.


Using normal mode 5 items at a time are delivered. It’s a bit tricky to find a suitable setting that meets your requirement. I recommend reading the Official Microsoft article:

Have fun playing with Event Log Subscriptions!

4 replies »

  1. Hi Patrick,
    Thank you for your interesteing blog, just a short question, how can I send emails from subscriptions when some Event Log ocurr?


  2. How does one configure server core as an event collector? Or, put another way; how do I configure an event log subscription in powershell?
    I’ve been asked to forward all domain server security logs to a central collector machine, and the boss wants the collector machine as server core 2019.


  3. I know this is a few years old, but i have a question.
    Is there any way to script the computer names into the subscription on the WEF server itself?
    We want to create an automated process that adds computers to those without having to do it manually.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.