In Windows Server, it is possible to configure the forwarding of event logs to remote servers. By forwarding events to another system, the centralized server can be configured with different retention options, reporting, and potentially performing actions based on the forwarded events.

This event forwarding uses a standard-based communication method using SOAP over HTTP.

There are two types of event log subscriptions: client-initiated and collector-initiated. For client-initiated subscriptions, we use a Group Policy and configure clients to push events to the collector. For collector-initiated, we configure the collector to pull events from each of the clients.

In this recipe, we will be creating a client-initiated subscription. We will use a Group Policy to distribute the configuration to our event sources. We will only be configuring one client, but the process can be extended to include dozens or even hundreds of clients.