Configuring data transfer from the event source server

You can receive information about events on servers and workstations by configuring data transfer from remote devices to the Windows Event Collector server.

Preliminary steps

  1. Verify that the Windows Remote Management service is configured on the event source server by running the following command in the PowerShell console:

    winrm get winrm/config

    If the Windows Remote Management service is not configured, initialize it by running the following command:

    winrm quickconfig

  2. If the event source server is a domain controller, make the Windows logs available over the network by running the following command in PowerShell as an administrator:

    wevtutil set-log security /ca:’O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

    Verify access by running the following command:

    wevtutil get-log security

Configuring the firewall on the event source server

To enable the Windows Event Collector server to receive Windows log entries, inbound connection ports must be opened on the event source server.

To open ports for inbound connections:

  1. On the event source server, open the Run window by pressing the key combination Win+R.
  2. In the opened window, type wf.msc and click OK.

    The Windows Defender Firewall with Advanced Security window opens.

  3. Go to the Inbound Rules section and click New Rule in the Actions pane.

    The New Inbound Rule Wizard opens.

  4. At the Rule type step, select Port.
  5. At the Protocols and ports step, select TCP as the protocol. In the Specific local ports field, indicate the relevant port numbers:
    • 5985 (for HTTP access)
    • 5986 (for HTTPS access)

    You can indicate one of the ports, or both.

  6. At the Action step, select Allow connection (selected by default).
  7. At the Profile step, clear the Private and Public check boxes.
  8. At the Name step, specify a name for the new inbound connection rule and click Done.

Configuration of data transfer from the event source server is complete.

The Windows Event Collector server must have the permissions to read Windows logs on the event source server. These permissions can be assigned to both the Windows Event Collector server account and to a special user account. For details on granting permissions, please refer to the Granting user permissions to view the Windows Event Log.

Page top