Hi Daniel,
Microsoft has a document introducing:
Best practice for configuring EventLog forwarding in Windows Server 2012 R2
https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/configure-eventlog-forwarding-performance
But in my opinion, this good article can give you more detailed and pragmatic guide, the github resource in it is worthwhile to checking.
https://medium.com/palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.