- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
When I lecture about Event Forwarding, often someone in the audience mentions the data overload problem. However, with Event Forwarding we can choose exactly the events we want to collect. In my example, I will forward events whenever AppLocker blocks files on a client.
This guide will follow five steps:
- Configure the event service on a server
- Configure an event subscription
- Configure the Event Forwarding Subscription Group Policy
- View the forwarded events in Event Viewer
- Write the forwarded events to a SQL database using PowerShell
Configure the event service on Server 2016 ^
Before we start, we need to configure WinRM. To display the listeners available, run the following command:
winrm e winrm/config/listener
You'll want to test whether WinRM is configured properly. The easiest way is to run the following command. You'll need a certificate in place for the server that WinRM can use.
winrm quickconfig -transport:https
Open the Event Viewer and then click Subscription. A prompt will appear asking you if you want to start the Windows Event Collector service.
Note: Event forwarding uses port 5985 if you work with HTTP and port 5986 if you use HTTPS (which you should!).
Configure an event subscription ^
Now that we have the Windows Event Collector service running, we can create a Subscription that we can apply to the clients. We start by creating a new Subscription:
We give it a name and select Source computer initiated.
You then select the Active Directory (AD) groups that should send in the events. In this example, I use Domain Computers.
Then we select the events we want to forward:
Here we filter only Critical and Error events. In the By log section, we select all AppLocker logs:
Then we go back and configure the Advanced Subscription Settings where we can choose HTTP or HTTPS. You also have to choose the time interval you want the clients to send in events.
- Normal: Every 15 minutes
- Minimize Bandwidth: Every 6 hours
- Minimize Latency: Every 30 seconds
Now we are ready to start collecting events.
Configure the Event Forwarding Subscription Group Policy ^
We can now configure the Group Policy that we assign to servers and clients so that they read the Subscription from the server and send the event included in the Subscriptions.
The corresponding Group Policy is: Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager.
We can configure a list of servers to read the Subscriptions from. To add the server address, you can simply type Server=<FQDN of the collector> as shown in the screenshot below. If you use only HTTPS, you need to use the following syntax instead.
HTTPS://<FQDN of the collector>/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>,IssuerCA=<Thumb print of the client authentication certificate>
Displaying the forwarded events in Event Viewer ^
Now that we've applied the Group Policy to clients, we will start to forward events to the server. In the Event Viewer, we can see how many clients have read the Subscription and are sending in events.
The screenshot above shows the events forwarded from AppLocker.
In the above example, we can see that AppLocker blocked chromesetup.exe. However, Event Viewer is not the optimal tool to watch forwarded events.
Write the forwarded events to a SQL Database using PowerShell ^
I am using the solution documented here to create a SQL database and then write the data to it. The solution comprises two parts. First, a PowerShell script initially imports all the events in Forwarded Events. After that, a scheduled task incrementally imports the events only one hour back.
You can then access the information from tools such as Excel, Power BI, and SQL Reporting Services. Below is a sample report in Reporting Services.