I stumbled over the topic Windows Eventlog Forwarding… I learned you don’t have to deploy Agents any more with all this updating an testing anymore. There is a neat manner built-into Windows since – i don’t know – you simply definde a Logserver, craft a GPO, define the appropriate settings and link it accordingly. Done. This sounds pretty good to me – i wanna try this soon ….
Some hints from Microsoft, to help IDS with Windows Eventlog Forwarding:
A Walk-through, to get 2 scenarios up and running:
http://www.vkernel.ro/blog/how-to-configure-windows-event-log-forwarding
Cut down the collected eventsources to under about 20:
https://social.technet.microsoft.com/Forums/en-US/1706b5bb-6415-47ba-af95-3c13f97a197d/windows-event-forwarding-winrm-issues?forum=winservergen
Write-up of some common problems:
http://zenshaze.com/wp/?p=57
The Windows Event Forwarding Survival Guide:
https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4
Write your forwarded logs to a specified log file: