I'm trying to set up Windows Event Forwarding on a Windows 2012 R2 collector server. I was looking to collect events from Windows Defender, which comes by default on Windows 7 and 8 clients. I know that Windows Defender is not supported by Microsoft on 2012 R2. I just want to collect the events with a subscription from the supported clients. When I look in the Application and Services log, I can't find the Windows Defender application on the collector server (because I think the feature is not installed so it can't be listed here).
The path should be as follow:
Applications and Services Logs/Microsoft/Windows/Windows Defender/Operational,
like described in this technet post: https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start/access-scan-logs/1066927e-35c8-4e66-ae3b-ca542776312c
Maybe someone who knows how I can collect these logs? Or should I create a PS script which moves the desired logs to another location like the Security log so my 2012R2 server can collect the events?
Best Answer
Copy the XML from event viewer from another computer that has the event log. Right-click > Filter > XML tab. Add that XML to your collector subscription, or create a new subscription.