Event Forwarding

You can subscribe to events on remote computers and forward the events to the local computer to store the events, of the remote computer, on the local computer. The Windows Event Log functions support local and remote event subscriptions to events by using the Remote Procedure Call (RPC) protocol, and this approach is limited to RPC-reachable computers. The Windows Event Collector functions support remote subscriptions by using the WS-Management protocol. For more information about WS-Management, see About Windows Remote Management.

Event Forwarding and Event Collection Architecture

The Event Collector service on the local computer uses the WS-Management protocol to send an event subscription request to a remote computer. The remote computer must be enabled to receive this information. For instructions about how to enable a computer to receive this information, see Configure Computers to Forward and Collect Events. This subscription request is passed on to the Event Forwarder, which is a WS-Management plug-in. The plug-in then creates an event subscription on the remote computer based on the subscription request made by the local computer. Any events delivered to the remote computer are then sent to the Event Collector service on the local computer.

Event collection allows administrators to get events from remote computers and store them in a centralized place. The events are stored in the local event log of the collector computer and persisted in the local event log. The destination log path for the events is a property of the subscription. All data in the received event is saved in the collector computer event log (none of the information is lost). Additional information related to the event forwarding is also added to the event.

Event Collector Functions

For more information about the functions used to collect and forward events, see Windows Event Collector functions.