Prerequisites for Event Centralization Implementations
Central Event Collector
A central event collector must be used as a repository for all the events collected from the source computer.
The following operating systems can be event collectors (this feature is not supported for down-level operating systems):
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2016
- Windows Server 2019
There are no built-in limitations when client operating systems are used as event collectors. However, we recommend Windows Server 2008 R2 or higher as the event collector, as this scales much better in high volume scenarios.
When using Windows Vista or Windows Server 2008 as the event collector, we strongly recommend upgrading to Windows Remote Management 2.0. This allows Windows 7 clients to be monitored without any additional configuration.
If you choose Windows Server 2016 or Server 2019 to run the event collector, please refer to Microsoft KB article 4494462. On these operating systems, the Windows Event Collector service (WecSvc) and the Windows Remote Management service (WinRM) use the same URLs, but the default access control lists (ACLs) do not provide access from the WecSvc service; to resolve this issue, you must update the appropriate URL ACLs. For directions, please see Events are not forwarded if the collector is running Windows Server.
Depending on the volume of events, the event collector can either be a dedicated or an existing machine. True enterprise class Windows Eventing is included with enterprise monitoring solutions like System Center Operations Manager (SCOM) (Audit Collection Services ACS).
Event Source Computers
The minimum operating system level required on the source computer is Windows 7.
Events can be centralized on any of the supported Windows Event Collector operating systems from any supported Windows event source operating systems. Each source computer requires a minimum of Windows Remote Management 1.1.