Event Viewer enables you to view events and logs on your computer. And troubleshooting an issue might require to view log files from other remote computers. Event Log Subscriptions comes into play … Subscription enables you to save events from remote computers. In this article I am going to configure a collector and a target system.
Suppose you want to collect event log events from your domain controller on your client computer. Therefore your client computer is the collector und your domain controller is the target.
Client Computer (Collector)
Log on to your client computer (Windows Vista and above) with an account which is member of the domain admins group. Open Windows PowerShell and type wecutil qc. Hit enter.
This will start the Event Collector Service.
Server Computer (Target System)
On Windows Server 2012 and 2016 Remote Management is enabled by default. Just to make sure it’s enabled, type
If Remoting is not enabled you can simply enable it by running
Before we go to the next step open Server-Manager and make sure Remote Management is set to Enabled.
Now we have to add the collector’s computer account to the server’s Event Log Reader Group. You can do it either in cmd or PowerShell.
Add-ADGroupMember -Identity "Event Log Readers" -Members "client01$"
net localgroup "Event Log Readers" sid-500\client01$ /add
This will add client01 to the Event Log Readers Group. We are now ready to configure the main part.
Configuring Event Log Subscriptions
Log on to your collector computer (Windows 10). Open Event Viewer (eventvwr). Click Subscriptions and select Create Subscription.
Enter a Subscription Name and click on Select Computers.
Click Add Domain Computers and type the computer name of your target system. It makes sense to test the connection before continue.
Next click Select Events.
Define a Query Filter. Select the events you want to collect.
Testing the functionality of Event Log Subscriptions
Wait a few minutes and do something on your target system. For example, restart the computer to trigger event log entries. Then go back to your client system and click on Windows Logs. Select Forwarding Events and review the logs of your target computer.
Nice. This completes the forwarding configuration.
Configure Advanced Settings
But there’s more. You can configure Bandwith, Latency and more … Go back to your recently configured subscription and double-click on it. Select Advanced.
Pay attention to the Event Delivery Optimization.
Using normal mode 5 items at a time are delivered. It’s a bit tricky to find a suitable setting that meets your requirement. I recommend reading the Official Microsoft article:
Have fun playing with Event Log Subscriptions!