none
Configuring Event Log Forwarding for 2012 R2 Core Domain Controllers

    Question

  • Can Microsoft please provide methodology for setting up Windows Event forwarding (Sender initiated) for a Domain Controller based on a Windows Server 2012 R2 Core installation? Unfortunately all of your documentation relies on using the local Event Viewer GUI to set this up. Connecting Event Viewer from a full Server 2012 installation to a Core Installation loses this ability entirely. The only option I've tried to employ so far leverages an .xml file, but I am not sure it is working correctly.

    Please note: this is for Windows Security Event ID 4776 ingestion.

    Wednesday, September 21, 2016 7:39 PM

All replies

  • Hi

    For source initiated you can easily use GPOs to configure the DCs. For collector initiated you can use the steps below.

    You will need to use the wecutil command to create the subscription, this will require a xml configuration file.

    If you have a server where you have already created a  subscription you can export the configuration to xml using the following command, wecutil gs <subscriptionID> /f:xml /u:true > <filename.xml>

    (If you need to get a list of subscriptions run the following command, wecutil es. )

    Modify the xml file so that it is appropriate for the server you want to create the subscription and then run the following command. wcutil cs <filename.xml>

    HTH

    ATA CxP Team


    Gershon Levitz [MSFT]

    Wednesday, September 28, 2016 7:22 PM
    Moderator