question

md5hash avatar image
0 Votes"
md5hash asked md5hash commented

Event Forwarding into a new Event Log file - not showing as a destination

Event forwarding between some application servers and my collector server is working, however the problem is that I don't want all the logs from them to go into "forwarded events" - I want to separate different subscriptions into different files.

I successfully made a new file with New-EventLog -Source Nvivo -LogName Nvivo and I can see it in the left sidebar of the Event Viewer of my collector server. However, I am not able to find and select this new Event Log in the Subscription properties. What else needs to be done before I can utilize this new Event log to receive logs in my subscription?

127146-screenshot-2021-08-27-092348.png



windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

md5hash avatar image
0 Votes"
md5hash answered

Any update from the professionals at Microsoft, please? Is there a better way I could be doing this? I just want my forwarded logs separated out and this seemed like a good way to do it but I don't care how this is accomplished.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered md5hash commented

Hi there,

Event log descriptions are not displayed correctly in the security event log on a remote computer that is running Windows Server 2008 SP2 or Windows Vista SP2.

https://support.microsoft.com/en-us/kb/2739740

The following Microsoft blog details the steps for creating separate log files.

https://docs.microsoft.com/en-gb/archive/blogs/russellt/creating-custom-windows-event-forwarding-logs

Hope this Answers all your queries , if not please do repost back .
If an Answer is helpful, please click "Accept Answer" and upvote it : )

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi - yes, I had seen this link - https://docs.microsoft.com/en-us/archive/blogs/russellt/creating-custom-windows-event-forwarding-logs - but it is now broken, the pictures don't work, and it's for using a Windows 10 machine (not a Windows Server machine, like I am) as the event collector. I tried downloading the SDK it asked for, but ecmangen.exe was not included after I installed it.

If this "method" is still the official way of doing this, then I wish Microsoft would update the document and fix it up so that it is up to date for current operating systems.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered md5hash commented

Hello @md5hash

Additionally,

Subscriptions cannot use for destination logs classic eventlog which you created using new-eventlog.
Even if you use XML table it won't allow you to forward logs there. You should select destination of Forwarded events eventlog to save your forwarded events.

Please have look on below Microsoft thread discussed the same.
https://social.technet.microsoft.com/Forums/lync/en-US/f16be533-4f4a-469e-bc17-7591eb46461b/event-subscriptions-custom-destination-log?forum=winserverManagement

If the reply was helpful, please don’t forget to upvote or accept as answer.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, I had already seen that link too. In the end, they found the same link from 2016 that you provided earlier that requires the use of an SDK to do this.

Is it unreasonable to not want to use "Forwarded Events" for every single subscription? Doesn't it seem superior to have a subscription like "domain controller logons" go to a event log named "domain controller logons" and I can set my own overwrite/archive rule and size limits per log?

I don't think that what I'm asking is so strange. Besides, the person who submitted that "you should select destination of forwarded events" is named "XXXXXXXXXXxxxxXXXXXXXXXXXXXXXXXXXXX121" - do you think that sounds like an "official microsoft employee response" to you? heh heh.

0 Votes 0 ·