Best practise event forwarding with multiple GPOs and event collectors

Daniel M 126 Reputation points


We've been using event collectors for some time now and we've installed more over time to balance workload an divide into tiers.

We have specified the URL to our "main" event collector which collects all system logs from all server high up in our OU structure and further down, for our important database servers, we have specified another URL to the event collector for database audits.

In order of precedence, the URL gets overwritten (not appended) and the further down we go in the OU structure we have to specify all the other event collectors URLs again to not overwrite them.

How should you we this? Should we just specify the URLs to all event collectors high up in the structure to avoid the risk of having a URL get overwritten? This puts a little more load on the event collectors when all our servers and clients checks in with all of them on a regular basis to see if there is a subscription for that particular client or server.


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,410 questions
0 comments No comments
{count} votes

Accepted answer
  1. Teemo Tang 11,366 Reputation points

    Hi Daniel,
    Microsoft has a document introducing:
    Best practice for configuring EventLog forwarding in Windows Server 2012 R2
    But in my opinion, this good article can give you more detailed and pragmatic guide, the github resource in it is worthwhile to checking.


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

0 additional answers

Sort by: Most helpful