Windows Event Collector Sensor App Log Forwarding

Microsoft Windows Event Forwarding (WEF) reads any operational or administrative event log on a device and forwards the events you choose to the Windows Event Collector (WEC) sensor app. On the device that you set up as a Windows Event Log collector, you configure subscriptions that pull the desired logs from any number of source computers. No special configuration is required on the source computers, other than that Windows Remote Management (WinRM) should be enabled, the WinRM Windows Firewall exceptions be enabled, and the computer account for the collector must have read permission on the logs that you want to subscribe to.

Set Up Windows Event Forwarding

USM Anywhere provides the log forwarding policy that you use to set up the WEF on your Windows Server.

To get the USM Anywhere log forwarding policy

  1. In USM Anywhere, go to Data Sources > Sensors.
  2. Click the Sensor Apps tab.
  3. In the left navigation list, select Windows Event Collector.

  4. Select the USM Anywhere Sensor where you enabled the WEC sensor app.
  5. Copy the policy from the field labeled Log Forwarding Policy. You will use this in the next procedure to configure the policy on your Windows Server. The policy follows this pattern:


To configure the policy on your Windows Server

  1. On the Windows Server, go to the Control Panel and open the Local Group Policy Editor.
  2. Select Computer Configuration > Administrative Templates > Windows Components > Event Forwarding, and then click Configure Target Subscription Manager.
  3. Click the Edit policy setting link.

  4. In the Configure Target Subscription Manager window, make sure that the subscription is marked as Enabled.
  5. In the Options section of the window, click Show to open the subscription managers.

  6. In the new Show Contents window, paste the policy that you copied from USM Anywhere in the previous procedure into the new subscription Value field.

  7. Click OK and close the Local Group Policy Editor.
  8. Open the terminal and apply the new configurations by entering this:

    gpupdate /force

Verify the Windows Event Log Collection

You can verify that your Windows Event Log collection configurations are correct by reviewing the event logs.

To review the Windows Event Logs

  1. On the Windows Server, open the Event Viewer.

  2. Go to Applications and Services Logs > Microsoft > Windows > Eventlog-ForwardingPlugin and check for any errors.

    You might see warnings if there are any paths that are not configured on your Windows Servers.

If the Windows Event Log collection configuration is without errors or warnings, you can view the events in the USM Anywhere Events List View page.