Q: What's the easiest way to configure the event collector machines (aka event collectors) used for forwarding Windows events from my Windows clients? How can I make Windows event forwarding fault-tolerant to deal with the outage of a single event collector?
A: You can use a Group Policy Object (GPO) setting to configure event collectors for your Windows clients. To do so, open the GPO editor and follow these steps:
- Navigate to the Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding container.
- Double-click the Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager option. In the dialog box that appears, select Enabled.
- Click the Show button next to SubscriptionManagers. In the Show Contents dialog box that appears, click Add and enter the address of the event collector. You can enter a Fully Qualified Domain Name (FQDN) or an IP address. If the event collector's FQDN is ECServer.test.net, the server address would be Server=ECServerA.test.net.
- Click OK twice to close the dialog boxes.
A simple way to make your Windows event collector configuration fault-tolerant is to configure your Windows clients to transmit their events to two event collectors. You can do so by entering the FQDNs or IP addresses of both a primary and a backup event collector in the Show Contents dialog box, as Figure 1 shows.