Configure Windows Log Forwarding

To configure Windows Log Forwarding, you need administrative privileges for configuring group policies on Windows servers. Configure Windows Log Forwarding on all the Windows Event Collectors—the member servers that collect login events from domain controllers. The following is an overview of the tasks; consult your Windows Server documentation for the specific steps.
  1. On each Windows Event Collector, enable event collection, add the domain controllers as event sources, and configure the event collection query (subscription). The events you specify in the subscription vary by domain controller platform:
    • Windows Server 2003
      —The event IDs for the required events are 672 (Authentication Ticket Granted), 673 (Service Ticket Granted), and 674 (Ticket Granted Renewed).
    • Windows Server 2008/2012 (including R2) and 2016, or MS Exchange
      —The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success).
    To forward events as quickly as possible,
    Minimize Latency
    when configuring the subscription.
    User-ID agents monitor the Security log, not the default forwarded events location, on Windows Event Collectors. Therefore, perform the following steps on each Windows Event Collector to change the event logging path to the Security log.
    1. Open the Event Viewer.
    2. Right-click the
      log and select
    3. Copy the
      Log path
      ) and click
    4. Right-click the
      Forwarded Events
      folder and select
    5. Replace the default
      Log path
      ) by pasting the value from the
      log, and then click
  2. Configure a group policy to enable Windows Remote Management (WinRM) on the domain controllers.
  3. Configure a group policy to enable Windows Event Forwarding on the domain controllers.

Recommended For You