Microsoft Windows Event Forwarding: source configuration
To set up centralized collection of Windows OS events, you must configure Event Forwarding on the Windows OS hosts that serve as event sources, and Event Collector on the collector server that collects events from all sources.
If the corporate IT infrastructure uses a firewall or other means of network traffic control, you must configure rules allowing traffic in both directions between the source host and the collector server host. TCP port 5985 is used for HTTP, and TCP port 5986 is used for HTTPS. If Windows XP or Windows Server 2003 is installed on the source host, TCP port 80 is used for HTTP, and TCP port 443 is used for HTTPS.
The following software must be installed on the source:
- Windows XP SP2 or Windows Server 2003 SP1 (or later versions).
- Windows Remote Management version 1.1 or later. The versions of services installed in the OS by default are given in the table below.
The following services must be running:
- Windows Remote Management (winrm)
- Windows Firewall (mpssvc)
Client OS | Server OS | Windows Remote Management version |
|---|---|---|
Windows XP | Windows Server 2003 | Not installed |
Windows Vista | Windows Server 2008 | 1.1 |
Windows 7 | Windows Server 2008R2 | 2.0 |
Windows 8, Windows 8.1, Windows 10 | Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 | 3.0 |