So what we have is a Windows 2008 server running as an event log collector which gets the event log from one or several sources. To prepare, we need to do 3 steps:
1. On the collector, on an elevated command prompt, run the following command to start the Windows Event Collector Service, change it to Automatically (Delayed Start) and enable ForwardedEvents channel if it is disabled. See this for more info.
wecutil qc
2.On each source, we need to enable WinRM:
winrm quickconfig
3.By default, the collector server can’t simply get the event logs from the sources, so you have to add the collector computer account to the local Administrators (if the source is 2008 R2, Event Log Readers group is said to be enough if you’re not collecting Security log, but see Possible Problems later in this article for more info).
Tags: eventlog