My scenario:
I want several Windows servers to forward Events either to Collector A or to Collector B and so on.
What I tried:
Set the GPO: Computer Settings - Policies- Administrative Templates - Windows Components - Event Forwarding - Configure target Subscription Manager
Server=http://Collectors.contoso.com:5985/wsman/SubscriptionManager/WEC
where Collectors is the name of the Cluster (set up via NLB), where Collector A and B are members of.
The Problem: no events have been forwarded.
How does the Event-Forwaring actually work? Is it possible and useful to use Network Load Balancing (NLB)?
Notes: Im using WinServ 2012R2 and all Firewalls have been disabled.
My Subscription von Collector A and B:
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>pull1</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description></Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Normal</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxLatencyTime>900000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="900000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList><Query Id="0"><Select Path="Application">*</Select><Select Path="Security">*</Select><Select Path="Setup">*</Select><Select Path="System">*</Select><Select Path="ForwardedEvents">*</Select></Query></QueryList>
]]>
</Query>
<ReadExistingEvents>false</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers>
<AllowedIssuerCAList>
</AllowedIssuerCAList>
</AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;DC)S:</AllowedSourceDomainComputers>
</Subscription>
Thanks
I know it´s been years since this question was asked, but...
As far as I know, there is no simple way to load balance the Windows Event Forwarding service. However, there are some options, if you need to scale up.
The entire architecture could be multi-tiered and in fact it works quite well even for big companies. If you have more than couple of thousand endpoints, you should definitely build separate collectors for different groups of clients. You can divide them as you need, for example by AD sites, OUs, security groups or actual locations. Every server can serve as a collector and forwarder at the same time, so you can use small servers to collect events on separate locations and have them send collected events to a bigger ones.
On the top of that, every CLIENT can talk to multiple servers. While it is not load balancing, you can choose which events go where. You can send security related events to one server that forwards them directly to SIEM and audit events to another server for long-term storage.
There are quite some drawbacks to WEF, however. There is no performance and health monitoring, so you have to implement custom measures to help with that. Or you can buy something like Supercharger, which provides some very helpful insights as well as a basic form of load balancing.
Tom