How to Setup Windows Event Forwarding for Alerting

This guide explains how to manually set up the InfraSOS agent server as a Windows Collector Server that will receive events from all source servers (All Domain Controllers & any other Windows Server or Desktop you would like to monitor) in your Active Directory domain as part of our Active Directory alerts & monitoring service.

The InfraSOS agent service will monitor the forwarded events log and forward relevant events that match your alert profile criteria to InfraSOS AD monitoring.

1. Ensure firewall rules allow WinRM (TCP 5985) traffic

Make sure Windows Firewall and any intermediate network devices allow inbound and outbound communication on port TCP 5985, which is required for WinRM.  WinRM must be enabled, the port must be open, and both machines (Infrasos agent server & all DCs & any other Windows device that requires monitoring) must be able to reach each other on this port.

Check existing firewall rules with the following PowerShell command executed with Administrator privileges:

Get-NetFirewallRule | Where-Object DisplayName -like "Windows Remote Management*"

Check WinRM listeners:

winrm enumerate winrm/config/listener

Create firewall rules if they do not exist, using the following powershell scripts:

A) create inbound firewall rule

New-NetFirewallRule `
-Name "Allow WinRM 5985" `
-DisplayName "Allow WinRM TCP 5985" `
-Protocol TCP `
-LocalPort 5985 `
-Direction Inbound `
-Action Allow `
-Enabled True

B) create outbound firewall rule

New-NetFirewallRule `
-Name "Allow WinRM Outbound 5985" `
-DisplayName "Allow WinRM Outbound TCP 5985" `
-Protocol TCP `
-LocalPort 5985 `
-Direction Outbound `
-Action Allow `
-Enabled True

From the source machine execute the following PowerShell command to check the connection:

Test-NetConnection -ComputerName <collector-hostname> -Port 5985

2. Enable WinRM on all servers

On every server (collector and source), run the following powershell command:

winrm quickconfig -quiet

Then using the next command check and validate that service configured:

Test-WSMan

You should see a valid WSMan response.

3. Create a GPO to configure Event Forwarding

Open Group Policy Management and create a new GPO:

For example, GPO name: “InfraSOS WEF - Event Forwarding”

3.1 Configure Subscription Manager:

In the Group Policy Management Editor of the created GPO, go to:

Computer Configuration → Policies → Administrative Templates → Windows Components → Event Forwarding → Configure target Subscription Manager

Set to Enabled and enter:

Server=http://<COLLECTOR_FQDN>:5985/wsman/SubscriptionManager/WEC,Refresh=60

where <COLLECTOR_FQDN> is a FQDN of the collector server.

3.2 Configure WinRM Service

In the same GPO, go to:

Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Remote Management (WinRM) → WinRM Service → Allow remote server management through WinRM

Set to Enabled

3.3 Grant permissions to read event logs

In the same GPO, go to:

Computer Configuration → Preferences → Control panel Settings → Local Users and Groups

Create a new Local Group, with the following properties:

“Action”: Update
“Group name”: Event Log readers
“Members”: NT AUTHORITY\NETWORK SERVICE

4. Configure collector server

On the collector server run:

wecutil qc /q

This:

• Enables the Windows Event Collector service
• Configures firewall rules
• Sets required SDDL permissions

5. Create Event Subscription

   On the collector server:

   1. Open Event Viewer
   2. In the left panel navigate to Event Viewer → Subscriptions  and click on Create Subscription  in the right panel
   3. In the Subscription Properties window
• Enter the subscription name and optionally the description
• Destination log should be: Forwarded Events
• Choose Collector initiated and click on Select Computers…
• In the opened dialog add domain computers from which you want to receive required events and close it. (e.g all your domain controllers)

• 

• Click on the Select Events…
• In the opened Query Filter dialog select the event levels to collect:
  • Critical
  • Warning
  • Error
  • Information

• 

• Then the By log option under Event Logs select the Windows logs to collect:
  • All Windows Logs

• 

• Leave the reset on default, Click Ok

• 

• Click on the Advanced… button and in the opened dialog choose the proper user account that must have read access to the source logs, by default it will be Machine Account.
• Under Event Delivery Optimization there are 3 options to select. Choose your desired level:
  • Normal: This is the default option and provides a balance between reliable delivery and bandwidth conservation. It uses a pull delivery mode, batches five items at a time, and sets a batch timeout of 15 minutes.
  • Minimize Bandwidth: This option is designed to strictly control network bandwidth usage. Events are delivered less frequently, using a push delivery mode with a long batch timeout of 6 hours. This is suitable for environments with limited bandwidth.
  • Minimize Latency: This option ensures events are delivered with minimal delay, making it appropriate for collecting critical events or alerts. It uses a push delivery mode with a short batch timeout of 30 seconds.

• 

6. Validate Event flow

• On collector server execute the following PowerShell command, the service must be Running:

Get-Service Wecsvc

• Open Event Viewer application and in the left panel navigate to:

Applications and Services Logs → Microsoft → Windows → EventCollector → Operational

There should not be any errors or warning events related to the created subscription

• After some time, which depends on the configured delays, events appear on the source machine, in the Event Viewer application navigate to Windows Logs → ForwardedEvents  and confirm that the forwarded events are received by the collector server.