Monitoring Event Logs

Windows has always stored a great deal of important information in the event logs. Unfortunately, with versions of Windows released prior to Windows Vista, that information could be very hard to access. Event logs were always stored on the local computer, and finding important events among the vast quantity of informational events could be very difficult.

Use the buttons below to navigate through the lesson


With Windows Vista, Windows Server 2008, and Windows Server 2003 R2, you can collect events from remote computers (including computers running Windows XP) and detect problems, such as low disk space, before they become more serious. Additionally, Windows now includes many more event logs to make it easier to troubleshoot problems with a specific Windows component or application.

With event forwarding, you can send events that match specific criteria to an administrative computer, allowing you to centralize event management. This allows you to view a single log and see the most important events from computers anywhere in your organization, rather than needing to connect to the local event logs on individual computers. With event forwarding, the critical information in the event log becomes much more accessible.

Event forwarding uses Hypertext Transfer Protocol (HTTP) or HTTPS (Hypertext Transfer Protocol Secure) to send events from a forwarding computer to a collecting computer. Because event forwarding uses the same protocols used to browse Web sites, it works through most firewalls and proxy servers. Whether event forwarding uses HTTP or HTTPS, it is encrypted.

Using event forwarding requires you to configure both the forwarding and collecting computers.
First, you must start the following services on both the forwarding and collecting computer:

  • Windows Remote Management
  • Windows Event Collector

NOTE Forwarding events from Windows XP and Windows Server 2003
Before computers running Windows XP or Windows Server 2003 can act as forwarding computers, you must install
WS-Management 1.1.

Configuring the Forwarding Computer

Click Start> Click Run Type CMD then Click OK. Type the Command winrm quickconfig. Then hit Enter. Type Y, and then press Enter. Remote management is updated.

Next, you must add the computer account of the collector computer to the local Event Log Readers group on each of the forwarding computers. You can do this manually or automatically from a script or command prompt by running the following command:
net localgroup “Event Log Readers” <computer_name>$@<domain_name> /add

For example, to add the computer Test in the test.local domain, you would run the following command:
net localgroup “Event Log Readers” test$@test.local /add

Type the command
net localgroup “Event Log Readers” test$@test.local /add

Then hit Enter. The command completed successfully. The computer has been added to the local group

Configuring the Collecting Computer

To configure a computer running Windows Vista or Windows Server 2008 to collect events, open a command prompt with administrative privileges. Then, run the following command to configure the Windows Event Collector service:
wecutil qc

In Windows Server 2008 you can also simply select the Subscriptions node in the console tree of Event Viewer. Event Viewer will prompt you to configure the Windows Event Collector service to start automatically.