Windows Server – Centralizing Event Logs with WEF

Last updated on October 6th, 2019 at 02:55 pm

  1. Deploy New Windows Server and give name like: EVENTLOG01
  2. Install SQL Server 2012 on Disk D:
  3. Open Powershell as admin the enable ‘Windows Remote Management Service’ by running the following command:
winrm quickconfig

If it’s already running, ensure you see this message:

4. Then, Open CMD ad admin and enable ‘Windows Collector Service’ by running the following command:

wecutil qc

If prompts, press y -> ensure you see this message:

5. Open Computer Management->Local Users and Groups as admin [lusrmgr.msc]

Add your server workstation to Event Log Readers group.

6. If your Windows Firewall is enabled, you must add Remote Event Log Management & Remote Event Monitor to Allowed Apps:

7. Open Event Viewer -> Subscriptions -> Create Subscription…

On the Subscription Properties, enter the following as shown in the example:
Subscription name: EVENTLOG01_EVENTS
Description: Events from remote local server EVENTLOG01
Destination log: Forwarded Events
Select Collector initiated and click Select Computers to open the Computers dialog.


Click Add Domain Computers.

Enter  for example: PC01, PC02, PC03, PC04, PC05 as the object name and click Check Names. If the computer is found, it is confirmed with an underline.

Click OK.

Click OK to return to the Subscription Properties.

Click Select Events to open the Query Filter and enter the following to set the remote server to forward all application events from the last 24 hours:
Logged: Last 24 hours
Check all Event levels
Select By log
Event logs: Select Application from the drop-down list

Click OK to return to the Subscription Properties.

Click Advanced to open the Advanced Subscription Settings and enter the following:
Select Specific User
Select Normal
Protocol: HTTPS
Port: 5986

Click OK to return to the Subscription Properties.

Click OK to close.

8. Select Forwarded Events from the Navigation pane on the collector computer.

The Computer column in the Details pane indicates the events are from the remote computer PC01. You can enable or disable the collector subscription by right-clicking on the subscription and choosing Disable. The status of the subscription is then shown as disabled in the main window. An active collector subscription does not mean it is succeeding. To see if the collector can connect to the source, right-click on the subscription and select Runtime Status. In this example, the collector can’t connect to the source. By default, it retries every 5 minutes.


Domain Computers Preparation

    1. Open Group Policy Management from within Administrative Tools folder.
    2. Right-click on the desired OU that you want to create a Group Policy Object for and click on “Create a GPO in this Domain, and Link it here…
    3. Rename the GPO to whatever you would like, “Enable WinRM via GPO” or something along those lines then click OK.
    4. Now that the new GPO has been created, right-click on the Newly created GPO and click “EDIT“.
    5. Expand the Menu tree as follows: Computer Configuration > Policies Administrative Templates: Policy definitions > Windows Components > Windows Remote Management (WinRM) WinRM Service.
    6. Find the setting that says “Allow remote server management through WinRM” and right-click and click “EDIT” to configure the settings. (see image below)
      winrm group policy setting

    1. When the dialog box opens up, click “Enabled” and under the options section, either specify an IP Address range or put an Asterisk “*” to allow all IP addresses to remotely manage the PC. (We recommend specifying an IP Address to reduce any risk of a security compromise of your systems/network).
      config settings

    1. Now lets enable the Windows Remote Mangement (WS-Management) Service to start automatically.
      Go to Computer Configuration >  Preferences > Control Panel Settings > Services and right-click and select “NEW” and the select “Service“.
    2. A New Service Properties window will come up and you will need to change Startup to “Automatic (Delayed Start)” and then in the Service Name dialog box, click the box with the 3 dots in it to the right of the Service name box and select “Windows Remote Management (WS-Management)” and click the Select button.
    3. Once you’ve selected the Service, under the “Service action:” pull down, we’ll want to click “Start service“.
      gpo service setup

    1. Last Step of this Process is to configure the Windows Firewall to Allow the proper ports inbound.Go to Computer Configuration > expand Policies > expand Windows Settings > expandSecurity Settings > expand Windows Firewall with Advanced Security > expand Windows Firewall with Advanced Security > expand Inbound Rules.Right-click the Inbound Rules node and choose New Rule. (see screenshot below)inbound firewall rule

    1. When the New Inbound Rule wizard box opens, click on the “Predefined” radio button and scroll down to “Windows Remote Management” and click on it. (see screenshot below)predefinied winrm rule

      1. Next we’ll click on the Left Sidebar menu item that says “Predefined Rules” in order to not Allow the Firewall to open this Port to the Public network.When the window opens, uncheck the box that says Public profile next to it, as seen in the image below. This ensures that we only allow WinRM access to the Private and Domain networks.Then Click the Next button:

    remove public firewall rule

    1. The Last screen of the New Inbound Firewall Wizard will just ask whether to Allow The Connection or block it.Make sure the that “Allow the connection” radio box is checked and click Finish.

      allow connection

At this point, you’ve successfully finished the GPO and you’ll need to wait for the GPO to propagate throughout your network.


For Testing immediately such a computer

You just need to run the following command:

winrm quickconfig

Answer y on both prompts and ensure you see this output:


Applying via GPO to domain computers

Create new GPO ‘Event Log Remote Management’ and set the following settings: