Best practise event forwarding with multiple GPOs and event collectors

Question

Hi,

We've been using event collectors for some time now and we've installed more over time to balance workload an divide into tiers.

We have specified the URL to our "main" event collector which collects all system logs from all server high up in our OU structure and further down, for our important database servers, we have specified another URL to the event collector for database audits.

In order of precedence, the URL gets overwritten (not appended) and the further down we go in the OU structure we have to specify all the other event collectors URLs again to not overwrite them.

How should you we this? Should we just specify the URLs to all event collectors high up in the structure to avoid the risk of having a URL get overwritten? This puts a little more load on the event collectors when all our servers and clients checks in with all of them on a regular basis to see if there is a subscription for that particular client or server.

Thanks
/Daniel

Answer 1

Hi Daniel,
Microsoft has a document introducing:
Best practice for configuring EventLog forwarding in Windows Server 2012 R2
https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/configure-eventlog-forwarding-performance
But in my opinion, this good article can give you more detailed and pragmatic guide, the github resource in it is worthwhile to checking.
https://medium.com/palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f

-------------------------------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.