Event forwarding

WinTechie 281 Reputation points
2020-10-14T11:33:12.09+00:00

Hi,

I have a wincollecter server which stores relevant events defined in the subscription (as per event Id) from all my domain controllers in the forwarded logs section.

I want to create a new subscription on same server (with certain netlogon events ids) and would like to fetch them from all domain controllers.

the problem is, If I set destination log as "forwarded logs" then netlogon logs are merged with other logs which are defined in other subscription and i want to keep events which are defined in new subscription separately, How do i achieve this?

Is it possible to create a new custom log section category in event viewer in order to save these logs separately

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,537 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,222 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leon Laude 85,671 Reputation points
    2020-10-14T11:42:38.463+00:00

    Hi @WinTechie ,

    It should be possible to create custom separate event forwarding logs, but it'll require some configuration.
    Have a look here:

    Creating Custom Windows Event Forwarding Logs
    https://learn.microsoft.com/en-us/archive/blogs/russellt/creating-custom-windows-event-forwarding-logs

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon

  2. Jenny Yan-MSFT 9,326 Reputation points
    2020-10-15T07:27:37.307+00:00

    Hi,
    the problem is, If I set destination log as "forwarded logs" then netlogon logs are merged with other logs which are defined in other subscription and i want to keep events which are defined in new subscription separately, How do i achieve this?

    Even after creating log category in event viewer, it won't appear under list of destination log when making a subscription for event forwarding.
    However, per further checking, someone shared one method to build an Instrumentation Manifest and then use some of the Windows SDK tools and the C# compiler to put it all together.
    Reference link:
    https://social.technet.microsoft.com/Forums/lync/en-US/f16be533-4f4a-469e-bc17-7591eb46461b/event-subscriptions-custom-destination-log?forum=winserverManagement

    But if above method did not meet your request, you could consider to add one more step that customized the event log filter to separate the newly created logs from previous ones.
    Advanced XML filtering in the Windows Event Viewer

    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    0 comments
  3. Jenny Yan-MSFT 9,326 Reputation points
    2020-10-23T02:20:07.997+00:00

    Hi,
    Thanks for the update and workaround.
    Please help to "accept answer" to close this question.

    Thanks,
    Jenny

    0 comments