If you are already familiar with native Windows Event Collection (WEC) feel free to skip ahead to the next article. This documentation includes many visuals so here is a legend to how we consistently represent different objects:
Windows Event Collection gives you an agent-less way to efficiently collect events from thousands of Windows computers. A given Windows server is the Collector. Other computers forward specified events to a target event log on the Collector.
As you can see above, the Windows Event Collector server allows you to define one more Subscription objects. Subscriptions determine which Event Logs should be forwarded (and which events within those logs), which computers the subscription applies to and which event log on the Collector should receive the forwarded events.
The illustration above shows that you can use groups from Active Directory to define which computers should be forwarders for the Subscription. You can define which events should be forwarded using the filter dialog in Event Viewer or with the XML query you see above for more advanced filters. The filter above simply gets all events from the Application log of the computers (forwarders) assigned.
Which computers are assigned? All computer accounts that are members of the AD group(s) assigned to the subscription (including members of nested groups).
However just because a computer is in that group, it won’t start sending events yet. That’s because computers in the domain aren’t aware of your Collector automatically. You must use Group Policy to add your Collector as a Subscription Manager by going to:
Group Policy Management Editor\Default Domain Policy\Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding\Configure target Subscription Manager setting Enabled
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!