Windows Event Forwarding Collection


  • Standards Based: Leverages the DMTF WS-Eventing standard allowing it to work with other WS-Man implementations (see OpenWSMAN at SourceForge).
  • Agentless: Event forwarding and event collection are included in the operating system by default.
  • Down-Level Support: Event forwarding is freely and readily available.
  • Multi-Tier: Forwarding architecture is very scalable where a source computer may forward to a large number of collectors and collectors may forward to collectors.
  • Scalable: Event collection is very scalable where the collector can maintain subscriptions with a large number of source computers and events per second.
  • Group Policy Aware: The entire model is configurable by Group Policy.
  • Schematized Events: Windows events are now schematized and rendered in XML, which enables many scripting and export scenarios.
  • Pre-Rendering: Forwarded Windows events can be pre-rendered on the source computer, negating the need for local applications to render Windows events.
  • Resiliency: Designed to enable mobile scenarios where laptops may be disconnected from the event collector for extended periods of time without event loss (except when logs wrap), as well as leveraging TCP for guaranteed delivery.
  • Security: Certificate based encryption through Kerberos or HTTPS.


The architecture uses Group Policy to distribute WinRM and event forwarding configurations to a group of domain computers. Each client is configured to forward events to a central event collector.

Event collector architecture diagram for a Privilege Management deployment