Home → Supercharger KB → WEC and Supercharger 101 → Windows Event Collection

1.1. Windows Event Collection

If you are already familiar with native Windows Event Collection (WEC) feel free to skip ahead to the next article. This documentation includes many visuals so here is a legend to how we consistently represent different objects:

Windows Event Collection gives you an agent-less way to efficiently collect events from thousands of Windows computers. A given Windows server is the Collector. Other computers forward specified events to a target event log on the Collector.

As you can see above, the Windows Event Collector server allows you to define one more Subscription objects. Subscriptions determine which Event Logs should be forwarded (and which events within those logs), which computers the subscription applies to and which event log on the Collector should receive the forwarded events.

You can define which events should be forwarded using the filter dialog in Event Viewer or with the XML query you see above for more advanced filters. The filter above simply gets all events from the Application log of the computers (forwarders) assigned.

The illustration above shows that you can use groups from Active Directory to define which computers should be forwarders for the Subscription. But you can also assign computers directly to a subscription which takes affect immediately. When you assign computers via groups, it can take days or weeks before the computer subscribes because a computer only updates its group membership when it is rebooted or you run klist. Supercharger's load balanced subscriptions feature eliminates this problem.

At any rate, all the computers you specify directly or via groups  (including members of nested groups) are assigned to the subscription.

However just because a computer is in that group, it won’t start sending events yet. That’s because computers in the domain aren’t aware of your Collector automatically. You must use Group Policy to add your Collector as a Subscription Manager by going to:

Group Policy Management Editor\Default Domain Policy\Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding\Configure target Subscription Manager setting Enabled