Configure Windows Log Forwarding

To configure Windows Log Forwarding, you need administrative privileges for configuring group policies on Windows servers. Configure Windows Log Forwarding on all the Windows Event Collectors—the member servers that collect login events from domain controllers. The following is an overview of the tasks; consult your Windows Server documentation for the specific steps.
  1. On each Windows Event Collector, enable event collection, add the domain controllers as event sources, and configure the event collection query (subscription). The events you specify in the subscription vary by domain controller platform:
    • Windows Server 2003—The event IDs for the required events are 672 (Authentication Ticket Granted), 673 (Service Ticket Granted), and 674 (Ticket Granted Renewed).
    • Windows Server 2008/2012 (including R2) and 2016, or MS Exchange—The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success).
    To forward events as quickly as possible, Minimize Latency when configuring the subscription.
    User-ID agents monitor the Security log, not the default forwarded events location, on Windows Event Collectors. Therefore, perform the following steps on each Windows Event Collector to change the event logging path to the Security log.
    1. Open the Event Viewer.
    2. Right-click the Security log and select Properties.
    3. Copy the Log path (default %SystemRoot%\System32\Winevt\Logs\security.evtx) and click OK.
    4. Right-click the Forwarded Events folder and select Properties.
    5. Replace the default Log path (%SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx) by pasting the value from the Security log, and then click OK.
  2. Configure a group policy to enable Windows Remote Management (WinRM) on the domain controllers.
  3. Configure a group policy to enable Windows Event Forwarding on the domain controllers.

Related Documentation