Configure Windows Event Collectors with a GPO Setting

Q: What's the easiest way to configure the event collector machines (aka event collectors) used for forwarding Windows events from my Windows clients? How can I make Windows event forwarding fault-tolerant to deal with the outage of a single event collector?

A: You can use a Group Policy Object (GPO) setting to configure event collectors for your Windows clients. To do so, open the GPO editor and follow these steps:

1. Navigate to the Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding container.
2. Double-click the Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager option. In the dialog box that appears, select Enabled.
3. Click the Show button next to SubscriptionManagers. In the Show Contents dialog box that appears, click Add and enter the address of the event collector. You can enter a Fully Qualified Domain Name (FQDN) or an IP address. If the event collector's FQDN is ECServer.test.net, the server address would be Server=ECServerA.test.net.
4. Click OK twice to close the dialog boxes.

A simple way to make your Windows event collector configuration fault-tolerant is to configure your Windows clients to transmit their events to two event collectors. You can do so by entering the FQDNs or IP addresses of both a primary and a backup event collector in the Show Contents dialog box, as Figure 1 shows.