I have a Server 2019 server that I configured Windows Event Collector on. I have six systems successfully sending logs to it (specifically AppLocker logs). I'd like to expand this to to about 20 systems sending logs, plus I'd like to forward Security, Application and Setup logs. But I don't want all the logs from the four event logs, from every server going to Forwarded events. I'd like to create new event logs on the Collector server to fit my needs. But I cannot seem to find a way to do this. I tried using powershell New-EventLog. While I could get the powershell command to complete successfully, I couldn't see the created event log in Event Viewer or when creating a subscription.
Is there a way to do this? Or is there some other way people solve this?
Thanks in advance.
Best Answer
Yes. Just follow the steps here:
https://learn.microsoft.com/en-us/archive/blogs/russellt/creating-custom-windows-event-forwarding-logs
I wish the process were a little bit easier.
More tips on using custom event channels can be found here:
https://github.com/palantir/windows-event-forwarding/tree/master/windows-event-channels